From e48ec9f39ab67ed259ec58a06a49b6a24d134727 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 21 Sep 2025 17:22:35 +0200 Subject: [PATCH 01/23] Merge branch 'v4-base' --- .eslintrc.json | 3 +- .prettierrc.json | 2 +- INSTALL.md | 157 + Issue.md | 59 + TODO.md | 40 + package-lock.json | 3325 ++++++- package.json | 4 + src/app/app-routing.module.ts | 18 +- src/app/app.component.css | 17 + src/app/app.component.html | 12 +- src/app/app.component.spec.ts | 3 +- src/app/app.component.ts | 14 + src/app/app.module.ts | 32 +- .../about-us/about-us.component.html | 3 - .../activity-description.component.html | 71 +- .../activity-description.component.spec.ts | 190 +- .../activity-description.component.ts | 408 +- .../circular-heatmap.component.ts | 923 -- .../dependency-graph.component.spec.ts | 3 +- .../dependency-graph.component.ts | 163 +- src/app/component/kpi/kpi.component.css | 30 + src/app/component/kpi/kpi.component.html | 8 + src/app/component/kpi/kpi.component.ts | 13 + .../component/mapping/mapping.component.css | 55 - .../component/mapping/mapping.component.html | 285 - .../component/mapping/mapping.component.ts | 657 -- .../component/matrix/matrix.component.html | 117 - .../component/matrix/matrix.component.spec.ts | 49 - src/app/component/matrix/matrix.component.ts | 331 - .../modal-message.component.spec.ts | 14 +- .../modal-message/modal-message.component.ts | 18 +- .../progress-slider.component.css | 20 + .../progress-slider.component.html | 14 + .../progress-slider.component.spec.ts | 46 + .../progress-slider.component.ts | 46 + .../readme-to-html.component.ts | 4 +- .../sidenav-buttons.component.html | 6 +- .../sidenav-buttons.component.ts | 3 + .../selectable-list.component.css | 47 + .../selectable-list.component.html | 62 + .../selectable-list.component.ts | 92 + .../teams-groups-editor.component.css | 41 + .../teams-groups-editor.component.html | 42 + .../teams-groups-editor.component.ts | 272 + .../teams-groups-editor.module.ts | 13 + src/app/component/teams/teams.component.css | 44 - src/app/component/teams/teams.component.html | 17 - .../component/teams/teams.component.spec.ts | 32 - src/app/component/teams/teams.component.ts | 39 - .../top-header/top-header.component.css | 3 +- src/app/component/usage/usage.component.html | 5 - .../component/userday/userday.component.html | 13 - .../component/userday/userday.component.ts | 10 - src/app/material/material.module.ts | 4 + src/app/model/activity-store.spec.ts | 199 + src/app/model/activity-store.ts | 326 + src/app/model/data-store.ts | 68 + src/app/model/ignore-list.ts | 27 + src/app/model/markdown-text.ts | 36 + src/app/model/meta-store.ts | 90 + src/app/model/progress-store.ts | 467 + src/app/model/sector.ts | 7 + src/app/model/types.ts | 15 + .../about-us/about-us.component.css | 0 .../pages/about-us/about-us.component.html | 2 + .../about-us/about-us.component.spec.ts | 0 .../about-us/about-us.component.ts | 0 .../circular-heatmap.component.css | 38 +- .../circular-heatmap.component.html | 181 +- .../circular-heatmap.component.spec.ts | 6 +- .../circular-heatmap.component.ts | 660 ++ src/app/pages/mapping/mapping.component.css | 42 + src/app/pages/mapping/mapping.component.html | 206 + .../mapping/mapping.component.spec.ts | 17 +- src/app/pages/mapping/mapping.component.ts | 216 + .../matrix/matrix.component.css | 32 + src/app/pages/matrix/matrix.component.html | 96 + src/app/pages/matrix/matrix.component.spec.ts | 103 + src/app/pages/matrix/matrix.component.ts | 262 + .../roadmap/roadmap.component.css} | 0 src/app/pages/roadmap/roadmap.component.html | 4 + .../pages/roadmap/roadmap.component.spec.ts | 24 + src/app/pages/roadmap/roadmap.component.ts | 15 + src/app/pages/teams/teams.component.css | 104 + src/app/pages/teams/teams.component.html | 81 + src/app/pages/teams/teams.component.spec.ts | 53 + src/app/pages/teams/teams.component.ts | 234 + src/app/pages/usage/usage.component.css | 0 src/app/pages/usage/usage.component.html | 3 + .../usage/usage.component.spec.ts | 0 .../usage/usage.component.ts | 2 + .../userday/userday.component.css | 0 src/app/pages/userday/userday.component.html | 12 + .../userday/userday.component.spec.ts | 0 src/app/pages/userday/userday.component.ts | 15 + .../loader/data-loader.service.spec.ts | 18 + src/app/service/loader/data-loader.service.ts | 176 + .../loader/mock-data-loader.service.ts | 39 + src/app/service/sector-service.ts | 67 + .../yaml-loader/yaml-loader.service.spec.ts | 56 + .../yaml-loader/yaml-loader.service.ts | 192 + .../yaml-parser/yaml-parser.service.spec.ts | 22 - .../yaml-parser/yaml-parser.service.ts | 28 - src/app/util/ArrayHash.ts | 6 + src/app/util/download.ts | 10 + src/app/util/util.ts | 47 + src/assets/Markdown Files/ABOUT-FORK.md | 9 + src/assets/Markdown Files/README.md | 7 +- src/assets/Markdown Files/TODO-v4.md | 124 + src/assets/YAML/custom/custom-activities.yaml | 35 + .../YAML/custom/custom-experimental.yaml | 17 + .../YAML/custom/test-ignore-activities.yaml | 22 + src/assets/YAML/default/activities-short.yaml | 87 + src/assets/YAML/default/activities.yaml | 8597 +++++++++++++++++ src/assets/YAML/default/teams.yaml | 28 + src/assets/YAML/generated/generated.yaml | 8597 +++++++++++++++++ src/assets/YAML/meta.yaml | 70 +- src/assets/YAML/team-progress-2.yaml | 16 + src/assets/YAML/team-progress-default.yaml | 2 + src/assets/YAML/team-progress.yaml | 120 + src/assets/YAML/teams.yaml | 10 +- src/assets/seek.html | 140 + src/custom-theme.scss | 46 +- src/environments/environment.prod.ts | 1 + src/environments/environment.ts | 10 +- src/index.html | 2 +- src/main.ts | 1 + src/styles.css | 27 + src/test.ts | 5 +- 129 files changed, 26415 insertions(+), 3761 deletions(-) create mode 100644 INSTALL.md create mode 100644 Issue.md create mode 100644 TODO.md delete mode 100644 src/app/component/about-us/about-us.component.html delete mode 100644 src/app/component/circular-heatmap/circular-heatmap.component.ts create mode 100644 src/app/component/kpi/kpi.component.css create mode 100644 src/app/component/kpi/kpi.component.html create mode 100644 src/app/component/kpi/kpi.component.ts delete mode 100644 src/app/component/mapping/mapping.component.css delete mode 100644 src/app/component/mapping/mapping.component.html delete mode 100644 src/app/component/mapping/mapping.component.ts delete mode 100644 src/app/component/matrix/matrix.component.html delete mode 100644 src/app/component/matrix/matrix.component.spec.ts delete mode 100644 src/app/component/matrix/matrix.component.ts create mode 100644 src/app/component/progress-slider/progress-slider.component.css create mode 100644 src/app/component/progress-slider/progress-slider.component.html create mode 100644 src/app/component/progress-slider/progress-slider.component.spec.ts create mode 100644 src/app/component/progress-slider/progress-slider.component.ts create mode 100644 src/app/component/teams-groups-editor/selectable-list.component.css create mode 100644 src/app/component/teams-groups-editor/selectable-list.component.html create mode 100644 src/app/component/teams-groups-editor/selectable-list.component.ts create mode 100644 src/app/component/teams-groups-editor/teams-groups-editor.component.css create mode 100644 src/app/component/teams-groups-editor/teams-groups-editor.component.html create mode 100644 src/app/component/teams-groups-editor/teams-groups-editor.component.ts create mode 100644 src/app/component/teams-groups-editor/teams-groups-editor.module.ts delete mode 100644 src/app/component/teams/teams.component.css delete mode 100644 src/app/component/teams/teams.component.html delete mode 100644 src/app/component/teams/teams.component.spec.ts delete mode 100644 src/app/component/teams/teams.component.ts delete mode 100644 src/app/component/usage/usage.component.html delete mode 100644 src/app/component/userday/userday.component.html delete mode 100644 src/app/component/userday/userday.component.ts create mode 100644 src/app/model/activity-store.spec.ts create mode 100644 src/app/model/activity-store.ts create mode 100644 src/app/model/data-store.ts create mode 100644 src/app/model/ignore-list.ts create mode 100644 src/app/model/markdown-text.ts create mode 100644 src/app/model/meta-store.ts create mode 100644 src/app/model/progress-store.ts create mode 100644 src/app/model/sector.ts create mode 100644 src/app/model/types.ts rename src/app/{component => pages}/about-us/about-us.component.css (100%) create mode 100644 src/app/pages/about-us/about-us.component.html rename src/app/{component => pages}/about-us/about-us.component.spec.ts (100%) rename src/app/{component => pages}/about-us/about-us.component.ts (100%) rename src/app/{component => pages}/circular-heatmap/circular-heatmap.component.css (81%) rename src/app/{component => pages}/circular-heatmap/circular-heatmap.component.html (61%) rename src/app/{component => pages}/circular-heatmap/circular-heatmap.component.spec.ts (84%) create mode 100644 src/app/pages/circular-heatmap/circular-heatmap.component.ts create mode 100644 src/app/pages/mapping/mapping.component.css create mode 100644 src/app/pages/mapping/mapping.component.html rename src/app/{component => pages}/mapping/mapping.component.spec.ts (71%) create mode 100644 src/app/pages/mapping/mapping.component.ts rename src/app/{component => pages}/matrix/matrix.component.css (74%) create mode 100644 src/app/pages/matrix/matrix.component.html create mode 100644 src/app/pages/matrix/matrix.component.spec.ts create mode 100644 src/app/pages/matrix/matrix.component.ts rename src/app/{component/usage/usage.component.css => pages/roadmap/roadmap.component.css} (100%) create mode 100644 src/app/pages/roadmap/roadmap.component.html create mode 100644 src/app/pages/roadmap/roadmap.component.spec.ts create mode 100644 src/app/pages/roadmap/roadmap.component.ts create mode 100644 src/app/pages/teams/teams.component.css create mode 100644 src/app/pages/teams/teams.component.html create mode 100644 src/app/pages/teams/teams.component.spec.ts create mode 100644 src/app/pages/teams/teams.component.ts create mode 100644 src/app/pages/usage/usage.component.css create mode 100644 src/app/pages/usage/usage.component.html rename src/app/{component => pages}/usage/usage.component.spec.ts (100%) rename src/app/{component => pages}/usage/usage.component.ts (86%) rename src/app/{component => pages}/userday/userday.component.css (100%) create mode 100644 src/app/pages/userday/userday.component.html rename src/app/{component => pages}/userday/userday.component.spec.ts (100%) create mode 100644 src/app/pages/userday/userday.component.ts create mode 100644 src/app/service/loader/data-loader.service.spec.ts create mode 100644 src/app/service/loader/data-loader.service.ts create mode 100644 src/app/service/loader/mock-data-loader.service.ts create mode 100644 src/app/service/sector-service.ts create mode 100644 src/app/service/yaml-loader/yaml-loader.service.spec.ts create mode 100644 src/app/service/yaml-loader/yaml-loader.service.ts delete mode 100644 src/app/service/yaml-parser/yaml-parser.service.spec.ts delete mode 100644 src/app/service/yaml-parser/yaml-parser.service.ts create mode 100644 src/app/util/ArrayHash.ts create mode 100644 src/app/util/download.ts create mode 100644 src/app/util/util.ts create mode 100644 src/assets/Markdown Files/ABOUT-FORK.md create mode 100644 src/assets/Markdown Files/TODO-v4.md create mode 100644 src/assets/YAML/custom/custom-activities.yaml create mode 100644 src/assets/YAML/custom/custom-experimental.yaml create mode 100644 src/assets/YAML/custom/test-ignore-activities.yaml create mode 100644 src/assets/YAML/default/activities-short.yaml create mode 100644 src/assets/YAML/default/activities.yaml create mode 100644 src/assets/YAML/default/teams.yaml create mode 100644 src/assets/YAML/generated/generated.yaml create mode 100644 src/assets/YAML/team-progress-2.yaml create mode 100644 src/assets/YAML/team-progress-default.yaml create mode 100644 src/assets/YAML/team-progress.yaml create mode 100644 src/assets/seek.html diff --git a/.eslintrc.json b/.eslintrc.json index 4d02a0dbe..ebab12145 100644 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -1,7 +1,8 @@ { "root": true, "ignorePatterns": [ - "projects/**/*" + "projects/**/*", + "*.css" ], "overrides": [ { diff --git a/.prettierrc.json b/.prettierrc.json index ff4791ca6..e0daba441 100644 --- a/.prettierrc.json +++ b/.prettierrc.json @@ -7,6 +7,6 @@ "arrowParens": "avoid", "trailingComma": "es5", "bracketSameLine": true, - "printWidth": 80, + "printWidth": 100, "endOfLine": "auto" } \ No newline at end of file diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 000000000..dd0d916f4 --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,157 @@ +# Install DSOMM +The DSOMM application is frontend only. Data is only stored in server side YAML files, and in the localStorage im the user's browser. + +The application can be deployed in many ways. using a number of Docker, Amazon AWS and a standalone Angular service. + +## Get the Activities + +The _DSOMM activities_ are maintained in a separate GitHub repository. For the latest version, get it from: +- https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data + + +## Docker +1. Install [Docker](https://www.docker.com) +1. Download and run DSOMM: \ + `docker pull wurstbrot/dsomm:latest` \ + `docker run --rm -p 8080:8080 wurstbrot/dsomm:latest` +1. Open DSOMM on http://localhost:8080 + - If you are using docker-machine instead of the native docker installation on Windows or macOs: open instead +If you want to override the default `generated.yaml` you can mount this file when starting the docker command. + +`docker run --rm --volume $PWD/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm` + +**NB!** Note that the docker command requires an absolute path to the local file. (Hence, the use of the `$PWD` variable. On Windows, substitute `$PWD` with `%CD%`.) + + + +## Amazon EC2 Instance + +1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_ +2. In _Step 1: Choose an Amazon Machine Image (AMI)_ choose an _Amazon + Linux AMI_ or _Amazon Linux 2 AMI_ +3. In _Step 3: Configure Instance Details_ unfold _Advanced Details_ and + copy the script below into _User Data_ +4. In _Step 6: Configure Security Group_ add a _Rule_ that opens port 80 + for HTTP +5. Launch your instance +6. Browse to your instance's public DNS + +```bash +#!/bin/bash +service docker start +docker run -d -p 80:8080 wurstbrot/dsomm:latest +``` + + + +## Any web server - Angular build +Since DSOMM is a frontend only application, any web server can host DSOMM. +- Clone the DSOMM repo + +- **NB!** The DSOMM activities are maintained separately. Download the `generated.yaml` and put it in the required folder +``` +git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git +cd DevSecOps-MaturityModel +npm install +curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml +ng build +``` +The files that were created in the subfolder `dist` + + + + + + + + +## Teams and Groups +To customize these teams, you can create your own [meta.yaml](src/assets/meta.yaml) file with your unique team definitions. + +Assessments within the framework can be based on either a team or a specific application, which can be referred to as the context. Depending on how you define the context or teams, you may want to group them together. + +Here are a couple of examples to illustrate this, in breakers the DSOMM word: +- Multiple applications (teams) can belong to a single overarching team (application). +- Multiple teams (teams) can belong to a larger department (group). + +Feel free to create your own [meta.yaml](src/assets/meta.yaml) file to tailor the framework to your specific needs and mount it in your environment (e.g. kubernetes or docker). +Here is an example to start docker with customized meta.yaml: +``` +# Customized meta.yaml +cp src/assets/YAML/meta.yaml . +docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -p 8080:8080 wurstbrot/dsomm + +# Customized meta.yaml and generated.yaml +cp src/assets/YAML/meta.yaml . +cp $(pwd)/src/assets/YAML/generated/generated.yaml . +docker run -v $(pwd)/meta.yaml:/srv/assets/YAML/meta.yaml -v $(pwd)/generated.yaml:/srv/assets/YAML/generated/generated.yaml -p 8080:8080 wurstbrot/dsomm +``` + +In the corresponding [dimension YAMLs](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/tree/main/src/assets/YAML/default), use: +``` +[...] + teamsImplemented: + Default: false + B: true + C: true + teamsEvidence: + B: All team members completed OWASP Secure Coding Dojo training on 2025-01-11. + C: | + The pentest report from 2025 has been split into Jira tasks under + [TODO-123](https://jira.example.com/issues/TODO-123). + + _2025-04-01:_ All fixes of **critical** findings are deployed to production. +``` +The `|` is yaml syntax to indicate that the evidence spans multiple lines. Markdown +syntax can be used. The evidence is currently visible on the activity from the Matrix page. + +# Back link + +- [OWASP DevSecOps maturity model page](https://dsomm.timo-pagel.de/) +- [OWASP DevSecOps project page](https://owasp.org/www-project-devsecops-maturity-model/) +- [OWASP](https://owasp.org) + +# Your help is needed to perform + +* Adding a manual on how to use DSOMM +* Integration of Incident Response +* DevSecOps Toolchain Categorization +* App Sec Maturity Models Mapping +* CAMS Categorization +* Adding assessment questions + +# Multi-language support +Multi-language support is not currently planned. + +# Sponsors + +[![Timo Pagel IT-Consulting](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/timo-pagel-logo.png)](https://pagel.pro) + +[![Apprio Inc](https://github.com/wurstbrot/DevSecOps-MaturityModel/raw/master-old/assets/images/Apiiro_black_logo.png)](https://apiiro.com/) + +[![Heroku (hosting)](https://github.com/wurstbrot/DevSecOps-MaturityModel/raw/master/src/assets/images/sponsors/heroku.png)](https://www.heroku.com/open-source-credit-program) + +# Donations + +If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the [OWASP Project Wiki Page](https://owasp.org/donate/?reponame=www-project-devsecops-maturity-model&title=OWASP+Devsecops+Maturity+Model). Donations might be used for the design of logos/images/design or travels. + +# License + +This program is free software: you can redistribute it and/or modify it under the terms of the [GPL 3](https://www.gnu.org/licenses/) license. + +The intellectual property (content in the _data_ folder) is licensed under Attribution-ShareAlike. +An example attribution by changing the content: +> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.timo-pagel.de). + +The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2025. + + +For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. + +You can download your current state from the circular heatmap and mount it again via + +```bash +wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right) +docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest +``` + diff --git a/Issue.md b/Issue.md new file mode 100644 index 000000000..a4e6e0588 --- /dev/null +++ b/Issue.md @@ -0,0 +1,59 @@ +# Changing team names has no effect + +## Expected outcome +* Updating the teams names and groups in `meta.yaml` should be visible in the browser after a refresh + +## Actual outcome + +## Steps to reproduce +1) Clone the repo \ + `git clone https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel.git` + +2) Install dependencies \ + `cd DevSecOps-MaturityModel` \ + `npm install` + +3) Download the default teams setup \ + `curl https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml -o src/assets/YAML/generated/generated.yaml` + +4) Start the web server \ + `ng server` (or maybe `npx ng server`) + +5) Open *incognito mode* os a web browser and visit \ + http://localhost:4200/circular-heatmap + +6) Verify that the teams are 'Default', 'B' and 'C' + +7) Fill in data for some of the teams + - Click on a sector in the circle (e.g. *Build* Level 1) + - Expand *Defined build process* + - Tick all three teams + - Click on another sector in the circle (e.g. *Deployment* Level 1) + - Expand *Defined deployment process* + - Tick 'Default' and 'B' only + +8) Download `generated.yaml` + +### Change names of teams +9) Open `src\assets\YAML\meta.yaml` +10) Edit team names in 'meta' + - Rename `Default` to `A` in `teams` and `teamGroups` + - Add `D` on `teams` and `teamGroups.GroupA` + - Add `GroupD: ['C', 'D']` under `teamGroups` +11) Update team names in 'generated' + - Rename all `Default:` to `A:` in the downloaded `generated.yaml` + - Add `D: true` on line 130 for *Defined build process* + +12) Replace `src/assets/YAML/generated/generated.yaml` with the newly modified version + +### Verify data in your browser +13) Refresh your browser + * The team filters are showing the new names + * But expanding the activity cards only show `B` and `C` + + + + + + + diff --git a/TODO.md b/TODO.md new file mode 100644 index 000000000..c83ea5ccf --- /dev/null +++ b/TODO.md @@ -0,0 +1,40 @@ +# File issue: + - UI not responsive to screen size + - Changing team names has no effect + - Default installation (no generated.yaml) does not work + - Filter illogical / not working as expected + + +# ToDo +- App: Alert when generated.yaml is not found +- App: Filter radio buttons: Default, no selections: meaning all selected +- App: Make radio button, and use Ctrl-Click to multiple (hold click on mobile) +- App: Fix bug, that greys out all sectors on startup +- App: Onboarding: Define teams, Setup generated.yaml (is 'generated.yaml' a good name?) + +- Heatmap: TeamGroup filter: No selection means all selected +- Heatmap: TeamGroup filter: Fix removing last filter +- Heatmap: Add Reset data under settings +- Heatmap: Highlight selected sector + +- Heatmap: Alter current bright yellow hover + +- Heatmap modal: Default: Close some tabs +- Heatmap modal: Store opened/closed tabs in local storage + +- Mapping: Add "Sort by:" +- Mapping: Fix: Sort by ISO 2017 is DESC (and 12.2) + +- Matrix: Make radio button, and use Ctrl-Click to multiple (hold click on mobile) + +# Doing +- Heatmap: Fix color calculations, to base on TeamVisible +- Heatmap: Allow non-standard team names and groups + +# Done +- Heatmap: Make heatmap the start page +- Heatmap: Center labels on sectors +- Heatmap: Fix calculations of heatmap dimension +- Heatmap: Toggle filters' visibility +- Heatmap: (Re)move Reset button +- Heatmap: Fix responsive layout diff --git a/package-lock.json b/package-lock.json index 7092620fe..c72ae96df 100644 --- a/package-lock.json +++ b/package-lock.json @@ -20,6 +20,8 @@ "@angular/platform-browser": "^13.0.0", "@angular/platform-browser-dynamic": "^13.0.0", "@angular/router": "^13.0.0", + "@grafana/faro-web-sdk": "^1.12.2", + "@grafana/faro-web-tracing": "^1.12.2", "@ngneat/until-destroy": "^10.0.0-beta.0", "d3": "^7.5.0", "js-yaml": "^4.1.0", @@ -27,6 +29,7 @@ "rxjs": "~7.5.0", "tslib": "^2.8.1", "xlsx": "^0.18.5", + "yaml": "^2.8.1", "yamljs": "^0.3.0", "zone.js": "~0.11.4" }, @@ -38,6 +41,7 @@ "@angular-eslint/schematics": "^13.0.0", "@angular-eslint/template-parser": "^13.0.0", "@angular/compiler-cli": "^13.0.0", + "@grafana/faro-webpack-plugin": "^0.1.1", "@types/d3": "^7.4.0", "@types/jasmine": "~3.10.0", "@types/js-yaml": "^4.0.9", @@ -2790,6 +2794,508 @@ "resolved": "https://registry.npmjs.org/@gar/promisify/-/promisify-1.1.3.tgz", "integrity": "sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==" }, + "node_modules/@grafana/faro-bundlers-shared": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/@grafana/faro-bundlers-shared/-/faro-bundlers-shared-0.1.1.tgz", + "integrity": "sha512-ZjMm5z9WpvRNsIplIKV5bNy0lbbMJjjuNHR40Wd4VvkuHhg2uJxMydW3016JQGmliJJL8kyGpVe7Uy0c8aqq3w==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "ansis": "^3.2.0", + "node-tar": "^1.0.0", + "tar": "^7.1.0" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/chownr": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", + "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", + "dev": true, + "license": "BlueOak-1.0.0", + "engines": { + "node": ">=18" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/glob": { + "version": "10.4.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", + "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "dev": true, + "license": "ISC", + "dependencies": { + "foreground-child": "^3.1.0", + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" + }, + "bin": { + "glob": "dist/esm/bin.mjs" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/minimatch": { + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/minizlib": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.1.tgz", + "integrity": "sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==", + "dev": true, + "license": "MIT", + "dependencies": { + "minipass": "^7.0.4", + "rimraf": "^5.0.5" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/mkdirp": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz", + "integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==", + "dev": true, + "license": "MIT", + "bin": { + "mkdirp": "dist/cjs/src/bin.js" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/rimraf": { + "version": "5.0.10", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz", + "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==", + "dev": true, + "license": "ISC", + "dependencies": { + "glob": "^10.3.7" + }, + "bin": { + "rimraf": "dist/esm/bin.mjs" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/tar": { + "version": "7.4.3", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz", + "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==", + "dev": true, + "license": "ISC", + "dependencies": { + "@isaacs/fs-minipass": "^4.0.0", + "chownr": "^3.0.0", + "minipass": "^7.1.2", + "minizlib": "^3.0.1", + "mkdirp": "^3.0.1", + "yallist": "^5.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/@grafana/faro-bundlers-shared/node_modules/yallist": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", + "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", + "dev": true, + "license": "BlueOak-1.0.0", + "engines": { + "node": ">=18" + } + }, + "node_modules/@grafana/faro-core": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-core/-/faro-core-1.12.2.tgz", + "integrity": "sha512-ddE7px/6T1NvVHDl5tpop3mBgSnSjg2XyKcI9V9xOUSQRWderMi91YRF+MXfyenYHbY5gpHXzl+eBMIXk2I17g==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api": "^1.9.0", + "@opentelemetry/otlp-transformer": "^0.53.0" + } + }, + "node_modules/@grafana/faro-web-sdk": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-web-sdk/-/faro-web-sdk-1.12.2.tgz", + "integrity": "sha512-vrMaeyJUEkXvRsO3POQgVfHkmMjFdXGqRnPRR60WsvYh7bDzd4M5B2n44cPN7qL1+pTG70g3CcCSX6Kfr4c34Q==", + "license": "Apache-2.0", + "dependencies": { + "@grafana/faro-core": "^1.12.2", + "ua-parser-js": "^1.0.32", + "web-vitals": "^4.0.1" + } + }, + "node_modules/@grafana/faro-web-sdk/node_modules/ua-parser-js": { + "version": "1.0.40", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.40.tgz", + "integrity": "sha512-z6PJ8Lml+v3ichVojCiB8toQJBuwR42ySM4ezjXIqXK3M0HczmKQ3LF4rhU55PfD99KEEXQG6yb7iOMyvYuHew==", + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/ua-parser-js" + }, + { + "type": "paypal", + "url": "https://paypal.me/faisalman" + }, + { + "type": "github", + "url": "https://github.com/sponsors/faisalman" + } + ], + "license": "MIT", + "bin": { + "ua-parser-js": "script/cli.js" + }, + "engines": { + "node": "*" + } + }, + "node_modules/@grafana/faro-web-tracing": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-web-tracing/-/faro-web-tracing-1.12.2.tgz", + "integrity": "sha512-sS6frsk3QHYelbCPmVtdqPdYDR8/oBxGfTHnpn1VV+wHeWTcDsD3UD2FhWYY73+M4z1wKt1EaW5OzI0hBnN6lw==", + "license": "Apache-2.0", + "dependencies": { + "@grafana/faro-web-sdk": "^1.12.2", + "@opentelemetry/api": "^1.9.0", + "@opentelemetry/context-zone": "1.26.0", + "@opentelemetry/core": "^1.26.0", + "@opentelemetry/exporter-trace-otlp-http": "^0.53.0", + "@opentelemetry/instrumentation": "^0.53.0", + "@opentelemetry/instrumentation-fetch": "^0.53.0", + "@opentelemetry/instrumentation-xml-http-request": "^0.53.0", + "@opentelemetry/otlp-transformer": "^0.53.0", + "@opentelemetry/resources": "^1.26.0", + "@opentelemetry/sdk-trace-web": "^1.26.0", + "@opentelemetry/semantic-conventions": "^1.27.0" + } + }, + "node_modules/@grafana/faro-webpack-plugin": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/@grafana/faro-webpack-plugin/-/faro-webpack-plugin-0.1.1.tgz", + "integrity": "sha512-pU/UXi5X1jB97C49e0Gn2NX4TmQv8rj92mVRkWF0X7DGGoIq1o6MwJ+xPmgBTCJ7dRnyCxKt0iH5q0hF2xLhpQ==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "@grafana/faro-bundlers-shared": "^0.1.1", + "@rollup/plugin-babel": "^6.0.4", + "@rollup/plugin-node-resolve": "^15.2.3", + "cross-fetch": "^4.0.0", + "webpack": "^5.89.0" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/ast": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.14.1.tgz", + "integrity": "sha512-nuBEDgQfm1ccRp/8bCQrx1frohyufl4JlbMMZ4P1wpeOfDhF6FQkxZJ1b/e+PLwr6X1Nhw6OLme5usuBWYBvuQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/helper-numbers": "1.13.2", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/floating-point-hex-parser": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz", + "integrity": "sha512-6oXyTOzbKxGH4steLbLNOu71Oj+C8Lg34n6CqRvqfS2O71BxY6ByfMDRhBytzknj9yGUPVJ1qIKhRlAwO1AovA==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/helper-api-error": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.13.2.tgz", + "integrity": "sha512-U56GMYxy4ZQCbDZd6JuvvNV/WFildOjsaWD3Tzzvmw/mas3cXzRJPMjP83JqEsgSbyrmaGjBfDtV7KDXV9UzFQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/helper-buffer": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.14.1.tgz", + "integrity": "sha512-jyH7wtcHiKssDtFPRB+iQdxlDf96m0E39yb0k5uJVhFGleZFoNw1c4aeIcVUPPbXUVJ94wwnMOAqUHyzoEPVMA==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/helper-numbers": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.13.2.tgz", + "integrity": "sha512-FE8aCmS5Q6eQYcV3gI35O4J789wlQA+7JrqTTpJqn5emA4U2hvwJmvFRC0HODS+3Ye6WioDklgd6scJ3+PLnEA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/floating-point-hex-parser": "1.13.2", + "@webassemblyjs/helper-api-error": "1.13.2", + "@xtuc/long": "4.2.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/helper-wasm-bytecode": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.13.2.tgz", + "integrity": "sha512-3QbLKy93F0EAIXLh0ogEVR6rOubA9AoZ+WRYhNbFyuB70j3dRdwH9g+qXhLAO0kiYGlg3TxDV+I4rQTr/YNXkA==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/helper-wasm-section": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.14.1.tgz", + "integrity": "sha512-ds5mXEqTJ6oxRoqjhWDU83OgzAYjwsCV8Lo/N+oRsNDmx/ZDpqalmrtgOMkHwxsG0iI//3BwWAErYRHtgn0dZw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/wasm-gen": "1.14.1" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/ieee754": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.13.2.tgz", + "integrity": "sha512-4LtOzh58S/5lX4ITKxnAK2USuNEvpdVV9AlgGQb8rJDHaLeHciwG4zlGr0j/SNWlr7x3vO1lDEsuePvtcDNCkw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@xtuc/ieee754": "^1.2.0" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/leb128": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.13.2.tgz", + "integrity": "sha512-Lde1oNoIdzVzdkNEAWZ1dZ5orIbff80YPdHx20mrHwHrVNNTjNr8E3xz9BdpcGqRQbAEa+fkrCb+fRFTl/6sQw==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "@xtuc/long": "4.2.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/utf8": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.13.2.tgz", + "integrity": "sha512-3NQWGjKTASY1xV5m7Hr0iPeXD9+RDobLll3T9d2AO+g3my8xy5peVyjSag4I50mR1bBSN/Ct12lo+R9tJk0NZQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/wasm-edit": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.14.1.tgz", + "integrity": "sha512-RNJUIQH/J8iA/1NzlE4N7KtyZNHi3w7at7hDjvRNm5rcUXa00z1vRz3glZoULfJ5mpvYhLybmVcwcjGrC1pRrQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/helper-wasm-section": "1.14.1", + "@webassemblyjs/wasm-gen": "1.14.1", + "@webassemblyjs/wasm-opt": "1.14.1", + "@webassemblyjs/wasm-parser": "1.14.1", + "@webassemblyjs/wast-printer": "1.14.1" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/wasm-gen": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.14.1.tgz", + "integrity": "sha512-AmomSIjP8ZbfGQhumkNvgC33AY7qtMCXnN6bL2u2Js4gVCg8fp735aEiMSBbDR7UQIj90n4wKAFUSEd0QN2Ukg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/ieee754": "1.13.2", + "@webassemblyjs/leb128": "1.13.2", + "@webassemblyjs/utf8": "1.13.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/wasm-opt": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.14.1.tgz", + "integrity": "sha512-PTcKLUNvBqnY2U6E5bdOQcSM+oVP/PmrDY9NzowJjislEjwP/C4an2303MCVS2Mg9d3AJpIGdUFIQQWbPds0Sw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/wasm-gen": "1.14.1", + "@webassemblyjs/wasm-parser": "1.14.1" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/wasm-parser": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.14.1.tgz", + "integrity": "sha512-JLBl+KZ0R5qB7mCnud/yyX08jWFw5MsoalJ1pQ4EdFlgj9VdXKGuENGsiCIjegI1W7p91rUlcB/LB5yRJKNTcQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-api-error": "1.13.2", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/ieee754": "1.13.2", + "@webassemblyjs/leb128": "1.13.2", + "@webassemblyjs/utf8": "1.13.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/@webassemblyjs/wast-printer": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.14.1.tgz", + "integrity": "sha512-kPSSXE6De1XOR820C90RIo2ogvZG+c3KiHzqUoO/F34Y2shGzesfqv7o57xrxovZJH/MetF5UjroJ/R/3isoiw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@webassemblyjs/ast": "1.14.1", + "@xtuc/long": "4.2.2" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/ajv": { + "version": "6.12.6", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", + "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "dev": true, + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/ajv-keywords": { + "version": "3.5.2", + "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz", + "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==", + "dev": true, + "license": "MIT", + "peerDependencies": { + "ajv": "^6.9.1" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/es-module-lexer": { + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.5.4.tgz", + "integrity": "sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "dev": true, + "license": "MIT" + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/schema-utils": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.3.0.tgz", + "integrity": "sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/json-schema": "^7.0.8", + "ajv": "^6.12.5", + "ajv-keywords": "^3.5.2" + }, + "engines": { + "node": ">= 10.13.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/webpack" + } + }, + "node_modules/@grafana/faro-webpack-plugin/node_modules/webpack": { + "version": "5.97.1", + "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.97.1.tgz", + "integrity": "sha512-EksG6gFY3L1eFMROS/7Wzgrii5mBAFe4rIr3r2BTfo7bcc+DWwFZ4OJ/miOuHJO/A85HwyI4eQ0F6IKXesO7Fg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/eslint-scope": "^3.7.7", + "@types/estree": "^1.0.6", + "@webassemblyjs/ast": "^1.14.1", + "@webassemblyjs/wasm-edit": "^1.14.1", + "@webassemblyjs/wasm-parser": "^1.14.1", + "acorn": "^8.14.0", + "browserslist": "^4.24.0", + "chrome-trace-event": "^1.0.2", + "enhanced-resolve": "^5.17.1", + "es-module-lexer": "^1.2.1", + "eslint-scope": "5.1.1", + "events": "^3.2.0", + "glob-to-regexp": "^0.4.1", + "graceful-fs": "^4.2.11", + "json-parse-even-better-errors": "^2.3.1", + "loader-runner": "^4.2.0", + "mime-types": "^2.1.27", + "neo-async": "^2.6.2", + "schema-utils": "^3.2.0", + "tapable": "^2.1.1", + "terser-webpack-plugin": "^5.3.10", + "watchpack": "^2.4.1", + "webpack-sources": "^3.2.3" + }, + "bin": { + "webpack": "bin/webpack.js" + }, + "engines": { + "node": ">=10.13.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/webpack" + }, + "peerDependenciesMeta": { + "webpack-cli": { + "optional": true + } + } + }, "node_modules/@humanwhocodes/config-array": { "version": "0.11.8", "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz", @@ -2823,6 +3329,132 @@ "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", "dev": true }, + "node_modules/@isaacs/cliui": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", + "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "dev": true, + "license": "ISC", + "dependencies": { + "string-width": "^5.1.2", + "string-width-cjs": "npm:string-width@^4.2.0", + "strip-ansi": "^7.0.1", + "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", + "wrap-ansi": "^8.1.0", + "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/@isaacs/cliui/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/emoji-regex": { + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "dev": true, + "license": "MIT" + }, + "node_modules/@isaacs/cliui/node_modules/string-width": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "dev": true, + "license": "MIT", + "dependencies": { + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/@isaacs/cliui/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, + "node_modules/@isaacs/cliui/node_modules/wrap-ansi": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/@isaacs/fs-minipass": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", + "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", + "dev": true, + "license": "ISC", + "dependencies": { + "minipass": "^7.0.4" + }, + "engines": { + "node": ">=18.0.0" + } + }, + "node_modules/@isaacs/fs-minipass/node_modules/minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, "node_modules/@istanbuljs/load-nyc-config": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz", @@ -2899,24 +3531,26 @@ } }, "node_modules/@jridgewell/source-map": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.2.tgz", - "integrity": "sha512-m7O9o2uR8k2ObDysZYzdfhb08VuEml5oWGiosa1VdaPZ/A6QyPkAJuwN0Q1lhULOf6B7MtQmHENS743hWtCrgw==", + "version": "0.3.6", + "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.6.tgz", + "integrity": "sha512-1ZJTZebgqllO79ue2bm3rIGud/bOe0pP5BjSRCRxxYkEZS8STV7zN84UBbiYu7jy+eCKSnVIUgoWWE/tt+shMQ==", "dev": true, + "license": "MIT", "dependencies": { - "@jridgewell/gen-mapping": "^0.3.0", - "@jridgewell/trace-mapping": "^0.3.9" + "@jridgewell/gen-mapping": "^0.3.5", + "@jridgewell/trace-mapping": "^0.3.25" } }, "node_modules/@jridgewell/source-map/node_modules/@jridgewell/gen-mapping": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.2.tgz", - "integrity": "sha512-mh65xKQAzI6iBcFzwv28KVWSmCkdRBWoOh+bYQGW3+6OZvbbN3TqMGo5hqYxQniRcH9F2VZIoJCm4pa3BPDK/A==", + "version": "0.3.8", + "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz", + "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==", "dev": true, + "license": "MIT", "dependencies": { - "@jridgewell/set-array": "^1.0.1", + "@jridgewell/set-array": "^1.2.1", "@jridgewell/sourcemap-codec": "^1.4.10", - "@jridgewell/trace-mapping": "^0.3.9" + "@jridgewell/trace-mapping": "^0.3.24" }, "engines": { "node": ">=6.0.0" @@ -3599,22 +4233,575 @@ "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", "dev": true }, - "node_modules/@parcel/watcher": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.0.4.tgz", - "integrity": "sha512-cTDi+FUDBIUOBKEtj+nhiJ71AZVlkAsQFuGQTun5tV9mwQBQgZvhCzG+URPQc8myeN32yRVZEfVAPCs1RW+Jvg==", + "node_modules/@opentelemetry/api": { + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", + "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==", + "license": "Apache-2.0", + "engines": { + "node": ">=8.0.0" + } + }, + "node_modules/@opentelemetry/api-logs": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api-logs/-/api-logs-0.53.0.tgz", + "integrity": "sha512-8HArjKx+RaAI8uEIgcORbZIPklyh1YLjPSBus8hjRmvLi6DeFzgOcdZ7KwPabKj8mXF8dX0hyfAyGfycz0DbFw==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api": "^1.0.0" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/@opentelemetry/context-zone": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-zone/-/context-zone-1.26.0.tgz", + "integrity": "sha512-ckBEUKo7jZnZ2jARcntv365413cTe9Ra7uMQWvdk10K3tWOUsLnBG8dSMRbkaA+XL9hWGrZ1MMI8UXrwnbp0FA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/context-zone-peer-dep": "1.26.0", + "zone.js": "^0.11.0 || ^0.12.0 || ^0.13.0 || ^0.14.0" + }, + "engines": { + "node": ">=14" + } + }, + "node_modules/@opentelemetry/context-zone-peer-dep": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-zone-peer-dep/-/context-zone-peer-dep-1.26.0.tgz", + "integrity": "sha512-Mgdy0WsHR52h5AnN2nhZJrelDK6unOFr8aSn3ToETk6DLSOijayOi0M0SZM72qhWr7iFrJ1oxGEIK8uzVaSC8Q==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0", + "zone.js": "^0.10.2 || ^0.11.0 || ^0.12.0 || ^0.13.0 || ^0.14.0" + } + }, + "node_modules/@opentelemetry/core": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-1.26.0.tgz", + "integrity": "sha512-1iKxXXE8415Cdv0yjG3G6hQnB5eVEsJce3QaawX8SjDn0mAS0ZM8fAbZZJD4ajvhC15cePvosSCut404KrIIvQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/exporter-trace-otlp-http": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-http/-/exporter-trace-otlp-http-0.53.0.tgz", + "integrity": "sha512-m7F5ZTq+V9mKGWYpX8EnZ7NjoqAU7VemQ1E2HAG+W/u0wpY1x0OmbxAXfGKFHCspdJk8UKlwPGrpcB8nay3P8A==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/otlp-exporter-base": "0.53.0", + "@opentelemetry/otlp-transformer": "0.53.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.0.0" + } + }, + "node_modules/@opentelemetry/instrumentation": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation/-/instrumentation-0.53.0.tgz", + "integrity": "sha512-DMwg0hy4wzf7K73JJtl95m/e0boSoWhH07rfvHvYzQtBD3Bmv0Wc1x733vyZBqmFm8OjJD0/pfiUg1W3JjFX0A==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api-logs": "0.53.0", + "@types/shimmer": "^1.2.0", + "import-in-the-middle": "^1.8.1", + "require-in-the-middle": "^7.1.1", + "semver": "^7.5.2", + "shimmer": "^1.2.1" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.3.0" + } + }, + "node_modules/@opentelemetry/instrumentation-fetch": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation-fetch/-/instrumentation-fetch-0.53.0.tgz", + "integrity": "sha512-Sayp/Oypr0lyTgOKide/Dz4ovqDWPdmazapCMyfsVpXpV9zrH2kbdO2vAKUMx9vF98vxsqcxXucf4z54WXWZ8A==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/instrumentation": "0.53.0", + "@opentelemetry/sdk-trace-web": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.0.0" + } + }, + "node_modules/@opentelemetry/instrumentation-fetch/node_modules/@opentelemetry/sdk-trace-web": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.26.0.tgz", + "integrity": "sha512-sxeKPcG/gUyxZ8iB8X1MI8/grfSCGgo1n2kxOE73zjVaO9yW/7JuVC3gqUaWRjtZ6VD/V3lo2/ZSwMlm6n2mdg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/instrumentation-xml-http-request": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation-xml-http-request/-/instrumentation-xml-http-request-0.53.0.tgz", + "integrity": "sha512-vkALs8zdEUU3GnGvq1rzP0RK3+Fsk2jyzY6X/a+ibbo/miCmmeQNHX+fBRNs/3Offquj19M0qD+olNU9CJloqg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/instrumentation": "0.53.0", + "@opentelemetry/sdk-trace-web": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.0.0" + } + }, + "node_modules/@opentelemetry/instrumentation-xml-http-request/node_modules/@opentelemetry/sdk-trace-web": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.26.0.tgz", + "integrity": "sha512-sxeKPcG/gUyxZ8iB8X1MI8/grfSCGgo1n2kxOE73zjVaO9yW/7JuVC3gqUaWRjtZ6VD/V3lo2/ZSwMlm6n2mdg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/instrumentation/node_modules/semver": { + "version": "7.6.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz", + "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==", + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/@opentelemetry/otlp-exporter-base": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.53.0.tgz", + "integrity": "sha512-UCWPreGQEhD6FjBaeDuXhiMf6kkBODF0ZQzrk/tuQcaVDJ+dDQ/xhJp192H9yWnKxVpEjFrSSLnpqmX4VwX+eA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/otlp-transformer": "0.53.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.0.0" + } + }, + "node_modules/@opentelemetry/otlp-transformer": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-transformer/-/otlp-transformer-0.53.0.tgz", + "integrity": "sha512-rM0sDA9HD8dluwuBxLetUmoqGJKSAbWenwD65KY9iZhUxdBHRLrIdrABfNDP7aiTjcgK8XFyTn5fhDz7N+W6DA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api-logs": "0.53.0", + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/sdk-logs": "0.53.0", + "@opentelemetry/sdk-metrics": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "protobufjs": "^7.3.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": "^1.3.0" + } + }, + "node_modules/@opentelemetry/resources": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-1.26.0.tgz", + "integrity": "sha512-CPNYchBE7MBecCSVy0HKpUISEeJOniWqcHaAHpmasZ3j9o6V3AyBzhRc90jdmemq0HOxDr6ylhUbDhBqqPpeNw==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-logs": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.53.0.tgz", + "integrity": "sha512-dhSisnEgIj/vJZXZV6f6KcTnyLDx/VuQ6l3ejuZpMpPlh9S1qMHiZU9NMmOkVkwwHkMy3G6mEBwdP23vUZVr4g==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/api-logs": "0.53.0", + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.4.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-metrics": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-1.26.0.tgz", + "integrity": "sha512-0SvDXmou/JjzSDOjUmetAAvcKQW6ZrvosU0rkbDGpXvvZN+pQF6JbK/Kd4hNdK4q/22yeruqvukXEJyySTzyTQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.3.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-base": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.26.0.tgz", + "integrity": "sha512-olWQldtvbK4v22ymrKLbIcBi9L2SpMO84sCPY54IVsJhP9fRsxJT194C/AVaAuJzLE30EdhhM1VmvVYR7az+cw==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-web": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.30.0.tgz", + "integrity": "sha512-tSsPbaOQqmkfSkRkMnv1T8au2hwlv3v5ZUGmRwc7zIL1hokhZKg5qhqTsvrWvRENlZ7+J9+cXZFKIMNKHodyhQ==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/sdk-trace-base": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-web/node_modules/@opentelemetry/core": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-1.30.0.tgz", + "integrity": "sha512-Q/3u/K73KUjTCnFUP97ZY+pBjQ1kPEgjOfXj/bJl8zW7GbXdkw6cwuyZk6ZTXkVgCBsYRYUzx4fvYK1jxdb9MA==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-web/node_modules/@opentelemetry/resources": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-1.30.0.tgz", + "integrity": "sha512-5mGMjL0Uld/99t7/pcd7CuVtJbkARckLVuiOX84nO8RtLtIz0/J6EOHM2TGvPZ6F4K+XjUq13gMx14w80SVCQg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-web/node_modules/@opentelemetry/sdk-trace-base": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.30.0.tgz", + "integrity": "sha512-RKQDaDIkV7PwizmHw+rE/FgfB2a6MBx+AEVVlAHXRG1YYxLiBpPX2KhmoB99R5vA4b72iJrjle68NDWnbrE9Dg==", + "license": "Apache-2.0", + "dependencies": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/resources": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "@opentelemetry/api": ">=1.0.0 <1.10.0" + } + }, + "node_modules/@opentelemetry/sdk-trace-web/node_modules/@opentelemetry/semantic-conventions": { + "version": "1.28.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.28.0.tgz", + "integrity": "sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + } + }, + "node_modules/@opentelemetry/semantic-conventions": { + "version": "1.27.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.27.0.tgz", + "integrity": "sha512-sAay1RrB+ONOem0OZanAR1ZI/k7yDpnOQSQmTMuGImUQb2y8EbSaCJ94FQluM74xoU03vlb2d2U90hZluL6nQg==", + "license": "Apache-2.0", + "engines": { + "node": ">=14" + } + }, + "node_modules/@parcel/watcher": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.0.4.tgz", + "integrity": "sha512-cTDi+FUDBIUOBKEtj+nhiJ71AZVlkAsQFuGQTun5tV9mwQBQgZvhCzG+URPQc8myeN32yRVZEfVAPCs1RW+Jvg==", + "dev": true, + "hasInstallScript": true, + "dependencies": { + "node-addon-api": "^3.2.1", + "node-gyp-build": "^4.3.0" + }, + "engines": { + "node": ">= 10.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/parcel" + } + }, + "node_modules/@pkgjs/parseargs": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", + "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "dev": true, + "license": "MIT", + "optional": true, + "engines": { + "node": ">=14" + } + }, + "node_modules/@protobufjs/aspromise": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz", + "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/base64": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz", + "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/codegen": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", + "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/eventemitter": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz", + "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/fetch": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz", + "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==", + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.1", + "@protobufjs/inquire": "^1.1.0" + } + }, + "node_modules/@protobufjs/float": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz", + "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/inquire": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", + "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/path": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz", + "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/pool": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz", + "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==", + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/utf8": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", + "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "license": "BSD-3-Clause" + }, + "node_modules/@rollup/plugin-babel": { + "version": "6.0.4", + "resolved": "https://registry.npmjs.org/@rollup/plugin-babel/-/plugin-babel-6.0.4.tgz", + "integrity": "sha512-YF7Y52kFdFT/xVSuVdjkV5ZdX/3YtmX0QulG+x0taQOtJdHYzVU61aSSkAgVJ7NOv6qPkIYiJSgSWWN/DM5sGw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-module-imports": "^7.18.6", + "@rollup/pluginutils": "^5.0.1" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0", + "@types/babel__core": "^7.1.9", + "rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0" + }, + "peerDependenciesMeta": { + "@types/babel__core": { + "optional": true + }, + "rollup": { + "optional": true + } + } + }, + "node_modules/@rollup/plugin-node-resolve": { + "version": "15.3.1", + "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.3.1.tgz", + "integrity": "sha512-tgg6b91pAybXHJQMAAwW9VuWBO6Thi+q7BCNARLwSqlmsHz0XYURtGvh/AuwSADXSI4h/2uHbs7s4FzlZDGSGA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@rollup/pluginutils": "^5.0.1", + "@types/resolve": "1.20.2", + "deepmerge": "^4.2.2", + "is-module": "^1.0.0", + "resolve": "^1.22.1" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "rollup": "^2.78.0||^3.0.0||^4.0.0" + }, + "peerDependenciesMeta": { + "rollup": { + "optional": true + } + } + }, + "node_modules/@rollup/plugin-node-resolve/node_modules/resolve": { + "version": "1.22.10", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz", + "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-core-module": "^2.16.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/@rollup/pluginutils": { + "version": "5.1.4", + "resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.1.4.tgz", + "integrity": "sha512-USm05zrsFxYLPdWWq+K3STlWiT/3ELn3RcV5hJMghpeAIhxfsUIg6mt12CBJBInWMV4VneoV7SfGv8xIwo2qNQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/estree": "^1.0.0", + "estree-walker": "^2.0.2", + "picomatch": "^4.0.2" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0" + }, + "peerDependenciesMeta": { + "rollup": { + "optional": true + } + } + }, + "node_modules/@rollup/pluginutils/node_modules/picomatch": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz", + "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==", "dev": true, - "hasInstallScript": true, - "dependencies": { - "node-addon-api": "^3.2.1", - "node-gyp-build": "^4.3.0" - }, + "license": "MIT", "engines": { - "node": ">= 10.0.0" + "node": ">=12" }, "funding": { - "type": "opencollective", - "url": "https://opencollective.com/parcel" + "url": "https://github.com/sponsors/jonschlinkert" } }, "node_modules/@schematics/angular": { @@ -3963,20 +5150,22 @@ } }, "node_modules/@types/eslint-scope": { - "version": "3.7.4", - "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.4.tgz", - "integrity": "sha512-9K4zoImiZc3HlIp6AVUDE4CWYx22a+lhSZMYNpbjW04+YF0KWj4pJXnEMjdnFTiQibFFmElcsasJXDbdI/EPhA==", + "version": "3.7.7", + "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.7.tgz", + "integrity": "sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==", "dev": true, + "license": "MIT", "dependencies": { "@types/eslint": "*", "@types/estree": "*" } }, "node_modules/@types/estree": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.0.tgz", - "integrity": "sha512-WulqXMDUTYAXCjZnk6JtIHPigp55cVtDgDrO2gHRwhyJto21+1zbVCtOYB2L1F9w4qCQ0rOGWBnBe0FNTiEJIQ==", - "dev": true + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz", + "integrity": "sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw==", + "dev": true, + "license": "MIT" }, "node_modules/@types/express": { "version": "4.17.15", @@ -4098,6 +5287,13 @@ "integrity": "sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw==", "dev": true }, + "node_modules/@types/resolve": { + "version": "1.20.2", + "resolved": "https://registry.npmjs.org/@types/resolve/-/resolve-1.20.2.tgz", + "integrity": "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==", + "dev": true, + "license": "MIT" + }, "node_modules/@types/retry": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/@types/retry/-/retry-0.12.0.tgz", @@ -4123,6 +5319,12 @@ "@types/node": "*" } }, + "node_modules/@types/shimmer": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@types/shimmer/-/shimmer-1.2.0.tgz", + "integrity": "sha512-UE7oxhQLLd9gub6JKIAhDq06T0F6FnztwMNRvYgjeQSBeMc1ZG/tA47EwfduvkuQS8apbkM/lpLpWsaCeYsXVg==", + "license": "MIT" + }, "node_modules/@types/sockjs": { "version": "0.3.33", "resolved": "https://registry.npmjs.org/@types/sockjs/-/sockjs-0.3.33.tgz", @@ -4719,10 +5921,10 @@ } }, "node_modules/acorn": { - "version": "8.8.1", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.1.tgz", - "integrity": "sha512-7zFpHzhnqYKrkYdUjF1HI1bzd0VygEGX8lFk4k5zVMqHEoES+P+7TKI+EvLO9WVMJ8eekdO0aDEK044xTXwPPA==", - "dev": true, + "version": "8.14.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz", + "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==", + "license": "MIT", "bin": { "acorn": "bin/acorn" }, @@ -4739,6 +5941,15 @@ "acorn": "^8" } }, + "node_modules/acorn-import-attributes": { + "version": "1.9.5", + "resolved": "https://registry.npmjs.org/acorn-import-attributes/-/acorn-import-attributes-1.9.5.tgz", + "integrity": "sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==", + "license": "MIT", + "peerDependencies": { + "acorn": "^8" + } + }, "node_modules/acorn-jsx": { "version": "5.3.2", "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz", @@ -4924,6 +6135,16 @@ "node": ">=4" } }, + "node_modules/ansis": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/ansis/-/ansis-3.4.0.tgz", + "integrity": "sha512-zVESKSQhWaPhGaWiKj1k+UqvpC7vPBBgG3hjQEeIx2YGzylWt8qA3ziAzRuUtm0OnaGsZKjIvfl8D/sJTt/I0w==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=16" + } + }, "node_modules/anymatch": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", @@ -5391,9 +6612,9 @@ } }, "node_modules/browserslist": { - "version": "4.21.4", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.4.tgz", - "integrity": "sha512-CBHJJdDmgjl3daYjN5Cp5kbTf1mUhZoS+beLklHIvkOWscs83YAhLlF3Wsh/lciQYAcbBJgTOD44VtG31ZM4Hw==", + "version": "4.24.3", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz", + "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==", "funding": [ { "type": "opencollective", @@ -5402,13 +6623,18 @@ { "type": "tidelift", "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" } ], + "license": "MIT", "dependencies": { - "caniuse-lite": "^1.0.30001400", - "electron-to-chromium": "^1.4.251", - "node-releases": "^2.0.6", - "update-browserslist-db": "^1.0.9" + "caniuse-lite": "^1.0.30001688", + "electron-to-chromium": "^1.5.73", + "node-releases": "^2.0.19", + "update-browserslist-db": "^1.1.1" }, "bin": { "browserslist": "cli.js" @@ -5552,9 +6778,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001446", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001446.tgz", - "integrity": "sha512-fEoga4PrImGcwUUGEol/PoFCSBnSkA9drgdkxXkJLsUBOnJ8rs3zDv6ApqYXGQFOyMPsjh79naWhF4DAxbF8rw==", + "version": "1.0.30001690", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz", + "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==", "funding": [ { "type": "opencollective", @@ -5563,8 +6789,13 @@ { "type": "tidelift", "url": "https://tidelift.com/funding/github/npm/caniuse-lite" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" } - ] + ], + "license": "CC-BY-4.0" }, "node_modules/cfb": { "version": "1.2.2", @@ -5651,6 +6882,12 @@ "webpack": ">=4.0.1" } }, + "node_modules/cjs-module-lexer": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.4.1.tgz", + "integrity": "sha512-cuSVIHi9/9E/+821Qjdvngor+xpnlwnuwIyZOaLmHBVdXL+gP+I6QQB9VkO7RI77YIcTV+S1W9AreJ5eN63JBA==", + "license": "MIT" + }, "node_modules/clean-stack": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz", @@ -6126,6 +7363,16 @@ "node": ">=10" } }, + "node_modules/cosmiconfig/node_modules/yaml": { + "version": "1.10.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", + "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">= 6" + } + }, "node_modules/crc-32": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/crc-32/-/crc-32-1.2.2.tgz", @@ -6227,6 +7474,16 @@ "node": ">=8" } }, + "node_modules/cross-fetch": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.1.0.tgz", + "integrity": "sha512-uKm5PU+MHTootlWEY+mZ4vvXoCn4fLQxT9dSc1sXVMSFkINTJVN8cAQROpwcKm8bJ/c7rgZVIBWzH5T78sNZZw==", + "dev": true, + "license": "MIT", + "dependencies": { + "node-fetch": "^2.7.0" + } + }, "node_modules/cross-spawn": { "version": "7.0.3", "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", @@ -6817,6 +8074,16 @@ "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==", "dev": true }, + "node_modules/deepmerge": { + "version": "4.3.1", + "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz", + "integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/default-gateway": { "version": "6.0.3", "resolved": "https://registry.npmjs.org/default-gateway/-/default-gateway-6.0.3.tgz", @@ -7107,6 +8374,13 @@ "integrity": "sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg==", "dev": true }, + "node_modules/eastasianwidth": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "dev": true, + "license": "MIT" + }, "node_modules/ee-first": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", @@ -7129,9 +8403,10 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.4.284", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz", - "integrity": "sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==" + "version": "1.5.76", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.76.tgz", + "integrity": "sha512-CjVQyG7n7Sr+eBXE86HIulnL5N8xZY1sgmOPGuq/F0Rr0FJq63lg0kEtOIDfZBk44FnDLf6FUJ+dsJcuiUDdDQ==", + "license": "ISC" }, "node_modules/emoji-regex": { "version": "8.0.0", @@ -7226,10 +8501,11 @@ } }, "node_modules/enhanced-resolve": { - "version": "5.12.0", - "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.12.0.tgz", - "integrity": "sha512-QHTXI/sZQmko1cbDoNAa3mJ5qhWUUNAq3vR0/YiD379fWQrcfuoX1+HW2S0MTt7XmoPLapdaDKUtelUSPic7hQ==", + "version": "5.18.0", + "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz", + "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==", "dev": true, + "license": "MIT", "dependencies": { "graceful-fs": "^4.2.4", "tapable": "^2.2.0" @@ -7766,9 +9042,10 @@ } }, "node_modules/escalade": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz", - "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==", + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", + "license": "MIT", "engines": { "node": ">=6" } @@ -8581,6 +9858,13 @@ "node": ">=4.0" } }, + "node_modules/estree-walker": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz", + "integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==", + "dev": true, + "license": "MIT" + }, "node_modules/esutils": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", @@ -9050,6 +10334,36 @@ "is-callable": "^1.1.3" } }, + "node_modules/foreground-child": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz", + "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==", + "dev": true, + "license": "ISC", + "dependencies": { + "cross-spawn": "^7.0.0", + "signal-exit": "^4.0.1" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/foreground-child/node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/form-data": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", @@ -9382,9 +10696,10 @@ } }, "node_modules/graceful-fs": { - "version": "4.2.10", - "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz", - "integrity": "sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==" + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==", + "license": "ISC" }, "node_modules/grapheme-splitter": { "version": "1.0.4", @@ -9402,6 +10717,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==", + "dev": true, "dependencies": { "function-bind": "^1.1.1" }, @@ -9507,7 +10823,6 @@ "version": "2.0.2", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", - "dev": true, "dependencies": { "function-bind": "^1.1.2" }, @@ -9841,6 +11156,18 @@ "node": ">=4" } }, + "node_modules/import-in-the-middle": { + "version": "1.12.0", + "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.12.0.tgz", + "integrity": "sha512-yAgSE7GmtRcu4ZUSFX/4v69UGXwugFFSdIQJ14LHPOPPQrWv8Y7O9PHsw8Ovk7bKCLe4sjXMbZFqGFcLHpZ89w==", + "license": "Apache-2.0", + "dependencies": { + "acorn": "^8.8.2", + "acorn-import-attributes": "^1.9.5", + "cjs-module-lexer": "^1.2.2", + "module-details-from-path": "^1.0.3" + } + }, "node_modules/imurmurhash": { "version": "0.1.4", "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", @@ -10096,11 +11423,15 @@ } }, "node_modules/is-core-module": { - "version": "2.11.0", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz", - "integrity": "sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==", + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", + "license": "MIT", "dependencies": { - "has": "^1.0.3" + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" @@ -10175,6 +11506,13 @@ "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz", "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==" }, + "node_modules/is-module": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/is-module/-/is-module-1.0.0.tgz", + "integrity": "sha512-51ypPSPCoTEIN9dy5Oy+h4pShgJmPCygKfyRCISBI+JoWT/2oJvK8QPxmwv7b/p239jXrm9M1mlQbyKJ5A152g==", + "dev": true, + "license": "MIT" + }, "node_modules/is-negative-zero": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz", @@ -10518,6 +11856,22 @@ "node": ">=8" } }, + "node_modules/jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "@isaacs/cliui": "^8.0.2" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + }, + "optionalDependencies": { + "@pkgjs/parseargs": "^0.11.0" + } + }, "node_modules/jake": { "version": "10.8.5", "resolved": "https://registry.npmjs.org/jake/-/jake-10.8.5.tgz", @@ -11323,6 +12677,12 @@ "node": ">=0.8.0" } }, + "node_modules/long": { + "version": "5.2.3", + "resolved": "https://registry.npmjs.org/long/-/long-5.2.3.tgz", + "integrity": "sha512-lcHwpNoggQTObv5apGNCTdJrO69eHOZMi4BNC+rTLER8iHAqGrUVeLh/irVIM7zTw2bOXA8T6uNPeujwOLg/2Q==", + "license": "Apache-2.0" + }, "node_modules/lru-cache": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz", @@ -11721,6 +13081,12 @@ "node": ">=10" } }, + "node_modules/module-details-from-path": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/module-details-from-path/-/module-details-from-path-1.0.3.tgz", + "integrity": "sha512-ySViT69/76t8VhE1xXHK6Ch4NcDd26gx0MzKXLO+F7NOtnqH68d9zF94nT8ZWSxXh8ELOERsnJO/sWt1xZYw5A==", + "license": "MIT" + }, "node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", @@ -11844,6 +13210,27 @@ "integrity": "sha512-mmcei9JghVNDYydghQmeDX8KoAm0FAiYyIcUt/N4nhyAipB17pllZQDOJD2fotxABnt4Mdz+dKTO7eftLg4d0A==", "dev": true }, + "node_modules/node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "dev": true, + "license": "MIT", + "dependencies": { + "whatwg-url": "^5.0.0" + }, + "engines": { + "node": "4.x || >=6.0.0" + }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + } + }, "node_modules/node-forge": { "version": "1.3.1", "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", @@ -11888,9 +13275,18 @@ } }, "node_modules/node-releases": { - "version": "2.0.8", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.8.tgz", - "integrity": "sha512-dFSmB8fFHEH/s81Xi+Y/15DQY6VHW81nXRj86EMSL3lmuTmK1e+aT4wrFCkTbm+gSwkw4KpX+rT/pMM2c1mF+A==" + "version": "2.0.19", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz", + "integrity": "sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==", + "license": "MIT" + }, + "node_modules/node-tar": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/node-tar/-/node-tar-1.0.0.tgz", + "integrity": "sha512-cowng5lugLQ3Bb5wWYfWM3067/S9xHDwCw3RWbqn0swqmgApDwklyg31XRci97cT7gNbVHmxoXQSkr2zDi5n+g==", + "deprecated": "please use 'tar'", + "dev": true, + "license": "ISC" }, "node_modules/nopt": { "version": "5.0.0", @@ -12590,6 +13986,13 @@ "node": ">=6" } }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true, + "license": "BlueOak-1.0.0" + }, "node_modules/pacote": { "version": "12.0.3", "resolved": "https://registry.npmjs.org/pacote/-/pacote-12.0.3.tgz", @@ -12759,6 +14162,40 @@ "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, + "node_modules/path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "engines": { + "node": ">=16 || 14 >=14.18" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/path-scurry/node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true, + "license": "ISC" + }, + "node_modules/path-scurry/node_modules/minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, "node_modules/path-to-regexp": { "version": "0.1.10", "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", @@ -12775,9 +14212,10 @@ } }, "node_modules/picocolors": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz", - "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==" + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "license": "ISC" }, "node_modules/picomatch": { "version": "2.3.1", @@ -13578,6 +15016,39 @@ "node": ">=10" } }, + "node_modules/protobufjs": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.4.0.tgz", + "integrity": "sha512-mRUWCc3KUU4w1jU8sGxICXH/gNS94DvI1gxqDvBzhj1JpcsimQkYiOJfwsPUykUI5ZaspFbSgmBLER8IrQ3tqw==", + "hasInstallScript": true, + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.2", + "@protobufjs/base64": "^1.1.2", + "@protobufjs/codegen": "^2.0.4", + "@protobufjs/eventemitter": "^1.1.0", + "@protobufjs/fetch": "^1.1.0", + "@protobufjs/float": "^1.0.2", + "@protobufjs/inquire": "^1.1.0", + "@protobufjs/path": "^1.1.2", + "@protobufjs/pool": "^1.1.0", + "@protobufjs/utf8": "^1.1.0", + "@types/node": ">=13.7.0", + "long": "^5.0.0" + }, + "engines": { + "node": ">=12.0.0" + } + }, + "node_modules/protobufjs/node_modules/@types/node": { + "version": "22.10.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz", + "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==", + "license": "MIT", + "dependencies": { + "undici-types": "~6.20.0" + } + }, "node_modules/proxy-addr": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", @@ -13888,6 +15359,63 @@ "node": ">=0.10.0" } }, + "node_modules/require-in-the-middle": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/require-in-the-middle/-/require-in-the-middle-7.4.0.tgz", + "integrity": "sha512-X34iHADNbNDfr6OTStIAHWSAvvKQRYgLO6duASaVf7J2VA3lvmNYboAHOuLC2huav1IwgZJtyEcJCKVzFxOSMQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.3.5", + "module-details-from-path": "^1.0.3", + "resolve": "^1.22.8" + }, + "engines": { + "node": ">=8.6.0" + } + }, + "node_modules/require-in-the-middle/node_modules/debug": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/require-in-the-middle/node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/require-in-the-middle/node_modules/resolve": { + "version": "1.22.10", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz", + "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==", + "license": "MIT", + "dependencies": { + "is-core-module": "^2.16.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/require-relative": { "version": "0.8.7", "resolved": "https://registry.npmjs.org/require-relative/-/require-relative-0.8.7.tgz", @@ -14485,6 +16013,12 @@ "node": ">=8" } }, + "node_modules/shimmer": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", + "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==", + "license": "BSD-2-Clause" + }, "node_modules/side-channel": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz", @@ -14827,6 +16361,22 @@ "node": ">=8" } }, + "node_modules/string-width-cjs": { + "name": "string-width", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/string.prototype.trimend": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.6.tgz", @@ -14866,6 +16416,30 @@ "node": ">=8" } }, + "node_modules/strip-ansi-cjs": { + "name": "strip-ansi", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, "node_modules/strip-ansi/node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", @@ -15066,16 +16640,17 @@ } }, "node_modules/terser-webpack-plugin": { - "version": "5.3.6", - "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.6.tgz", - "integrity": "sha512-kfLFk+PoLUQIbLmB1+PZDMRSZS99Mp+/MHqDNmMA6tOItzRt+Npe3E+fsMs5mfcM0wCtrrdU387UnV+vnSffXQ==", + "version": "5.3.11", + "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.11.tgz", + "integrity": "sha512-RVCsMfuD0+cTt3EwX8hSl2Ks56EbFHWmhluwcqoPKtBnfjiT6olaq7PRIRfhyU8nnC2MrnDrBLfrD/RGE+cVXQ==", "dev": true, + "license": "MIT", "dependencies": { - "@jridgewell/trace-mapping": "^0.3.14", + "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", - "schema-utils": "^3.1.1", - "serialize-javascript": "^6.0.0", - "terser": "^5.14.1" + "schema-utils": "^4.3.0", + "serialize-javascript": "^6.0.2", + "terser": "^5.31.1" }, "engines": { "node": ">= 10.13.0" @@ -15091,54 +16666,32 @@ "@swc/core": { "optional": true }, - "esbuild": { - "optional": true - }, - "uglify-js": { - "optional": true - } - } - }, - "node_modules/terser-webpack-plugin/node_modules/ajv": { - "version": "6.12.6", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", - "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", - "dev": true, - "dependencies": { - "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", - "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" - }, - "funding": { - "type": "github", - "url": "https://github.com/sponsors/epoberezkin" + "esbuild": { + "optional": true + }, + "uglify-js": { + "optional": true + } } }, - "node_modules/terser-webpack-plugin/node_modules/ajv-keywords": { - "version": "3.5.2", - "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz", - "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==", + "node_modules/terser-webpack-plugin/node_modules/commander": { + "version": "2.20.3", + "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", + "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", "dev": true, - "peerDependencies": { - "ajv": "^6.9.1" - } - }, - "node_modules/terser-webpack-plugin/node_modules/json-schema-traverse": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", - "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", - "dev": true + "license": "MIT" }, "node_modules/terser-webpack-plugin/node_modules/schema-utils": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.1.1.tgz", - "integrity": "sha512-Y5PQxS4ITlC+EahLuXaY86TXfR7Dc5lw294alXOq86JAHCihAIZfqv8nNCWvaEJvaC51uN9hbLGeV0cFBdH+Fw==", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.0.tgz", + "integrity": "sha512-Gf9qqc58SpCA/xdziiHz35F4GNIWYWZrEshUc/G/r5BnLph6xpKuLeoJoQuj5WfBIx/eQLf+hmVPYHaxJu7V2g==", "dev": true, + "license": "MIT", "dependencies": { - "@types/json-schema": "^7.0.8", - "ajv": "^6.12.5", - "ajv-keywords": "^3.5.2" + "@types/json-schema": "^7.0.9", + "ajv": "^8.9.0", + "ajv-formats": "^2.1.1", + "ajv-keywords": "^5.1.0" }, "engines": { "node": ">= 10.13.0" @@ -15148,6 +16701,25 @@ "url": "https://opencollective.com/webpack" } }, + "node_modules/terser-webpack-plugin/node_modules/terser": { + "version": "5.37.0", + "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz", + "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==", + "dev": true, + "license": "BSD-2-Clause", + "dependencies": { + "@jridgewell/source-map": "^0.3.3", + "acorn": "^8.8.2", + "commander": "^2.20.0", + "source-map-support": "~0.5.20" + }, + "bin": { + "terser": "bin/terser" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/terser/node_modules/commander": { "version": "2.20.3", "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", @@ -15225,6 +16797,13 @@ "node": ">=0.6" } }, + "node_modules/tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==", + "dev": true, + "license": "MIT" + }, "node_modules/tree-kill": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz", @@ -15391,6 +16970,12 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/undici-types": { + "version": "6.20.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz", + "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==", + "license": "MIT" + }, "node_modules/unicode-canonical-property-names-ecmascript": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz", @@ -15466,9 +17051,9 @@ } }, "node_modules/update-browserslist-db": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz", - "integrity": "sha512-OztqDenkfFkbSG+tRxBeAnCVPckDBcvibKd35yDONx6OU8N7sqgwc7rCbkJ/WcYtVRZ4ba68d6byhC21GFh7sQ==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.1.tgz", + "integrity": "sha512-R8UzCaa9Az+38REPiJ1tXlImTJXlVfgHZsglwBD/k6nj76ctsH1E3q4doGrukiLQd3sGQYu56r5+lo5r94l29A==", "funding": [ { "type": "opencollective", @@ -15477,14 +17062,19 @@ { "type": "tidelift", "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" } ], + "license": "MIT", "dependencies": { - "escalade": "^3.1.1", - "picocolors": "^1.0.0" + "escalade": "^3.2.0", + "picocolors": "^1.1.0" }, "bin": { - "browserslist-lint": "cli.js" + "update-browserslist-db": "cli.js" }, "peerDependencies": { "browserslist": ">= 4.21.0" @@ -15604,10 +17194,11 @@ } }, "node_modules/watchpack": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.0.tgz", - "integrity": "sha512-Lcvm7MGST/4fup+ifyKi2hjyIAwcdI4HRgtvTpIUxBRhB+RFtUh8XtDOxUfctVCnhVi+QQj49i91OyvzkJl6cg==", + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.2.tgz", + "integrity": "sha512-TnbFSbcOCcDgjZ4piURLCbJ3nJhznVh9kw6F6iokjiFPl8ONxe9A6nMDVXDiNbrSfLILs6vB07F7wLBrwPYzJw==", "dev": true, + "license": "MIT", "dependencies": { "glob-to-regexp": "^0.4.1", "graceful-fs": "^4.1.2" @@ -15633,6 +17224,19 @@ "defaults": "^1.0.3" } }, + "node_modules/web-vitals": { + "version": "4.2.4", + "resolved": "https://registry.npmjs.org/web-vitals/-/web-vitals-4.2.4.tgz", + "integrity": "sha512-r4DIlprAGwJ7YM11VZp4R884m0Vmgr6EAKe3P+kO0PPj3Unqyvv59rczf6UiGcb9Z8QxZVcqKNwv/g0WNdWwsw==", + "license": "Apache-2.0" + }, + "node_modules/webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==", + "dev": true, + "license": "BSD-2-Clause" + }, "node_modules/webpack": { "version": "5.70.0", "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.70.0.tgz", @@ -15940,6 +17544,17 @@ "node": ">=0.8.0" } }, + "node_modules/whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "dev": true, + "license": "MIT", + "dependencies": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, "node_modules/which": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", @@ -16045,6 +17660,61 @@ "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, + "node_modules/wrap-ansi-cjs": { + "name": "wrap-ansi", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true, + "license": "MIT" + }, "node_modules/wrap-ansi/node_modules/ansi-styles": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", @@ -16135,12 +17805,15 @@ "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==" }, "node_modules/yaml": { - "version": "1.10.2", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", - "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", - "dev": true, + "version": "2.8.1", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", + "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==", + "license": "ISC", + "bin": { + "yaml": "bin.mjs" + }, "engines": { - "node": ">= 6" + "node": ">= 14.6" } }, "node_modules/yamljs": { @@ -18112,14 +19785,373 @@ "uri-js": "^4.2.2" } }, - "globals": { - "version": "13.19.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz", - "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==", + "globals": { + "version": "13.19.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz", + "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==", + "dev": true, + "requires": { + "type-fest": "^0.20.2" + } + }, + "json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "dev": true + }, + "minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "requires": { + "brace-expansion": "^1.1.7" + } + }, + "type-fest": { + "version": "0.20.2", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz", + "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==", + "dev": true + } + } + }, + "@gar/promisify": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@gar/promisify/-/promisify-1.1.3.tgz", + "integrity": "sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==" + }, + "@grafana/faro-bundlers-shared": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/@grafana/faro-bundlers-shared/-/faro-bundlers-shared-0.1.1.tgz", + "integrity": "sha512-ZjMm5z9WpvRNsIplIKV5bNy0lbbMJjjuNHR40Wd4VvkuHhg2uJxMydW3016JQGmliJJL8kyGpVe7Uy0c8aqq3w==", + "dev": true, + "requires": { + "ansis": "^3.2.0", + "node-tar": "^1.0.0", + "tar": "^7.1.0" + }, + "dependencies": { + "brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "requires": { + "balanced-match": "^1.0.0" + } + }, + "chownr": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", + "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", + "dev": true + }, + "glob": { + "version": "10.4.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", + "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "dev": true, + "requires": { + "foreground-child": "^3.1.0", + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" + } + }, + "minimatch": { + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", + "dev": true, + "requires": { + "brace-expansion": "^2.0.1" + } + }, + "minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true + }, + "minizlib": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.1.tgz", + "integrity": "sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==", + "dev": true, + "requires": { + "minipass": "^7.0.4", + "rimraf": "^5.0.5" + } + }, + "mkdirp": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz", + "integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==", + "dev": true + }, + "rimraf": { + "version": "5.0.10", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz", + "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==", + "dev": true, + "requires": { + "glob": "^10.3.7" + } + }, + "tar": { + "version": "7.4.3", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz", + "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==", + "dev": true, + "requires": { + "@isaacs/fs-minipass": "^4.0.0", + "chownr": "^3.0.0", + "minipass": "^7.1.2", + "minizlib": "^3.0.1", + "mkdirp": "^3.0.1", + "yallist": "^5.0.0" + } + }, + "yallist": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", + "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", + "dev": true + } + } + }, + "@grafana/faro-core": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-core/-/faro-core-1.12.2.tgz", + "integrity": "sha512-ddE7px/6T1NvVHDl5tpop3mBgSnSjg2XyKcI9V9xOUSQRWderMi91YRF+MXfyenYHbY5gpHXzl+eBMIXk2I17g==", + "requires": { + "@opentelemetry/api": "^1.9.0", + "@opentelemetry/otlp-transformer": "^0.53.0" + } + }, + "@grafana/faro-web-sdk": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-web-sdk/-/faro-web-sdk-1.12.2.tgz", + "integrity": "sha512-vrMaeyJUEkXvRsO3POQgVfHkmMjFdXGqRnPRR60WsvYh7bDzd4M5B2n44cPN7qL1+pTG70g3CcCSX6Kfr4c34Q==", + "requires": { + "@grafana/faro-core": "^1.12.2", + "ua-parser-js": "^1.0.32", + "web-vitals": "^4.0.1" + }, + "dependencies": { + "ua-parser-js": { + "version": "1.0.40", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.40.tgz", + "integrity": "sha512-z6PJ8Lml+v3ichVojCiB8toQJBuwR42ySM4ezjXIqXK3M0HczmKQ3LF4rhU55PfD99KEEXQG6yb7iOMyvYuHew==" + } + } + }, + "@grafana/faro-web-tracing": { + "version": "1.12.2", + "resolved": "https://registry.npmjs.org/@grafana/faro-web-tracing/-/faro-web-tracing-1.12.2.tgz", + "integrity": "sha512-sS6frsk3QHYelbCPmVtdqPdYDR8/oBxGfTHnpn1VV+wHeWTcDsD3UD2FhWYY73+M4z1wKt1EaW5OzI0hBnN6lw==", + "requires": { + "@grafana/faro-web-sdk": "^1.12.2", + "@opentelemetry/api": "^1.9.0", + "@opentelemetry/context-zone": "1.26.0", + "@opentelemetry/core": "^1.26.0", + "@opentelemetry/exporter-trace-otlp-http": "^0.53.0", + "@opentelemetry/instrumentation": "^0.53.0", + "@opentelemetry/instrumentation-fetch": "^0.53.0", + "@opentelemetry/instrumentation-xml-http-request": "^0.53.0", + "@opentelemetry/otlp-transformer": "^0.53.0", + "@opentelemetry/resources": "^1.26.0", + "@opentelemetry/sdk-trace-web": "^1.26.0", + "@opentelemetry/semantic-conventions": "^1.27.0" + } + }, + "@grafana/faro-webpack-plugin": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/@grafana/faro-webpack-plugin/-/faro-webpack-plugin-0.1.1.tgz", + "integrity": "sha512-pU/UXi5X1jB97C49e0Gn2NX4TmQv8rj92mVRkWF0X7DGGoIq1o6MwJ+xPmgBTCJ7dRnyCxKt0iH5q0hF2xLhpQ==", + "dev": true, + "requires": { + "@grafana/faro-bundlers-shared": "^0.1.1", + "@rollup/plugin-babel": "^6.0.4", + "@rollup/plugin-node-resolve": "^15.2.3", + "cross-fetch": "^4.0.0", + "webpack": "^5.89.0" + }, + "dependencies": { + "@webassemblyjs/ast": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/ast/-/ast-1.14.1.tgz", + "integrity": "sha512-nuBEDgQfm1ccRp/8bCQrx1frohyufl4JlbMMZ4P1wpeOfDhF6FQkxZJ1b/e+PLwr6X1Nhw6OLme5usuBWYBvuQ==", + "dev": true, + "requires": { + "@webassemblyjs/helper-numbers": "1.13.2", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2" + } + }, + "@webassemblyjs/floating-point-hex-parser": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz", + "integrity": "sha512-6oXyTOzbKxGH4steLbLNOu71Oj+C8Lg34n6CqRvqfS2O71BxY6ByfMDRhBytzknj9yGUPVJ1qIKhRlAwO1AovA==", + "dev": true + }, + "@webassemblyjs/helper-api-error": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-api-error/-/helper-api-error-1.13.2.tgz", + "integrity": "sha512-U56GMYxy4ZQCbDZd6JuvvNV/WFildOjsaWD3Tzzvmw/mas3cXzRJPMjP83JqEsgSbyrmaGjBfDtV7KDXV9UzFQ==", + "dev": true + }, + "@webassemblyjs/helper-buffer": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-buffer/-/helper-buffer-1.14.1.tgz", + "integrity": "sha512-jyH7wtcHiKssDtFPRB+iQdxlDf96m0E39yb0k5uJVhFGleZFoNw1c4aeIcVUPPbXUVJ94wwnMOAqUHyzoEPVMA==", + "dev": true + }, + "@webassemblyjs/helper-numbers": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-numbers/-/helper-numbers-1.13.2.tgz", + "integrity": "sha512-FE8aCmS5Q6eQYcV3gI35O4J789wlQA+7JrqTTpJqn5emA4U2hvwJmvFRC0HODS+3Ye6WioDklgd6scJ3+PLnEA==", + "dev": true, + "requires": { + "@webassemblyjs/floating-point-hex-parser": "1.13.2", + "@webassemblyjs/helper-api-error": "1.13.2", + "@xtuc/long": "4.2.2" + } + }, + "@webassemblyjs/helper-wasm-bytecode": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-bytecode/-/helper-wasm-bytecode-1.13.2.tgz", + "integrity": "sha512-3QbLKy93F0EAIXLh0ogEVR6rOubA9AoZ+WRYhNbFyuB70j3dRdwH9g+qXhLAO0kiYGlg3TxDV+I4rQTr/YNXkA==", + "dev": true + }, + "@webassemblyjs/helper-wasm-section": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/helper-wasm-section/-/helper-wasm-section-1.14.1.tgz", + "integrity": "sha512-ds5mXEqTJ6oxRoqjhWDU83OgzAYjwsCV8Lo/N+oRsNDmx/ZDpqalmrtgOMkHwxsG0iI//3BwWAErYRHtgn0dZw==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/wasm-gen": "1.14.1" + } + }, + "@webassemblyjs/ieee754": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/ieee754/-/ieee754-1.13.2.tgz", + "integrity": "sha512-4LtOzh58S/5lX4ITKxnAK2USuNEvpdVV9AlgGQb8rJDHaLeHciwG4zlGr0j/SNWlr7x3vO1lDEsuePvtcDNCkw==", + "dev": true, + "requires": { + "@xtuc/ieee754": "^1.2.0" + } + }, + "@webassemblyjs/leb128": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/leb128/-/leb128-1.13.2.tgz", + "integrity": "sha512-Lde1oNoIdzVzdkNEAWZ1dZ5orIbff80YPdHx20mrHwHrVNNTjNr8E3xz9BdpcGqRQbAEa+fkrCb+fRFTl/6sQw==", + "dev": true, + "requires": { + "@xtuc/long": "4.2.2" + } + }, + "@webassemblyjs/utf8": { + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/@webassemblyjs/utf8/-/utf8-1.13.2.tgz", + "integrity": "sha512-3NQWGjKTASY1xV5m7Hr0iPeXD9+RDobLll3T9d2AO+g3my8xy5peVyjSag4I50mR1bBSN/Ct12lo+R9tJk0NZQ==", + "dev": true + }, + "@webassemblyjs/wasm-edit": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-edit/-/wasm-edit-1.14.1.tgz", + "integrity": "sha512-RNJUIQH/J8iA/1NzlE4N7KtyZNHi3w7at7hDjvRNm5rcUXa00z1vRz3glZoULfJ5mpvYhLybmVcwcjGrC1pRrQ==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/helper-wasm-section": "1.14.1", + "@webassemblyjs/wasm-gen": "1.14.1", + "@webassemblyjs/wasm-opt": "1.14.1", + "@webassemblyjs/wasm-parser": "1.14.1", + "@webassemblyjs/wast-printer": "1.14.1" + } + }, + "@webassemblyjs/wasm-gen": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-gen/-/wasm-gen-1.14.1.tgz", + "integrity": "sha512-AmomSIjP8ZbfGQhumkNvgC33AY7qtMCXnN6bL2u2Js4gVCg8fp735aEiMSBbDR7UQIj90n4wKAFUSEd0QN2Ukg==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/ieee754": "1.13.2", + "@webassemblyjs/leb128": "1.13.2", + "@webassemblyjs/utf8": "1.13.2" + } + }, + "@webassemblyjs/wasm-opt": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-opt/-/wasm-opt-1.14.1.tgz", + "integrity": "sha512-PTcKLUNvBqnY2U6E5bdOQcSM+oVP/PmrDY9NzowJjislEjwP/C4an2303MCVS2Mg9d3AJpIGdUFIQQWbPds0Sw==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-buffer": "1.14.1", + "@webassemblyjs/wasm-gen": "1.14.1", + "@webassemblyjs/wasm-parser": "1.14.1" + } + }, + "@webassemblyjs/wasm-parser": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wasm-parser/-/wasm-parser-1.14.1.tgz", + "integrity": "sha512-JLBl+KZ0R5qB7mCnud/yyX08jWFw5MsoalJ1pQ4EdFlgj9VdXKGuENGsiCIjegI1W7p91rUlcB/LB5yRJKNTcQ==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@webassemblyjs/helper-api-error": "1.13.2", + "@webassemblyjs/helper-wasm-bytecode": "1.13.2", + "@webassemblyjs/ieee754": "1.13.2", + "@webassemblyjs/leb128": "1.13.2", + "@webassemblyjs/utf8": "1.13.2" + } + }, + "@webassemblyjs/wast-printer": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/@webassemblyjs/wast-printer/-/wast-printer-1.14.1.tgz", + "integrity": "sha512-kPSSXE6De1XOR820C90RIo2ogvZG+c3KiHzqUoO/F34Y2shGzesfqv7o57xrxovZJH/MetF5UjroJ/R/3isoiw==", + "dev": true, + "requires": { + "@webassemblyjs/ast": "1.14.1", + "@xtuc/long": "4.2.2" + } + }, + "ajv": { + "version": "6.12.6", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", + "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "dev": true, + "requires": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + } + }, + "ajv-keywords": { + "version": "3.5.2", + "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz", + "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==", "dev": true, - "requires": { - "type-fest": "^0.20.2" - } + "requires": {} + }, + "es-module-lexer": { + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.5.4.tgz", + "integrity": "sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==", + "dev": true }, "json-schema-traverse": { "version": "0.4.1", @@ -18127,28 +20159,50 @@ "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", "dev": true }, - "minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "schema-utils": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.3.0.tgz", + "integrity": "sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==", "dev": true, "requires": { - "brace-expansion": "^1.1.7" + "@types/json-schema": "^7.0.8", + "ajv": "^6.12.5", + "ajv-keywords": "^3.5.2" } }, - "type-fest": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz", - "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==", - "dev": true + "webpack": { + "version": "5.97.1", + "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.97.1.tgz", + "integrity": "sha512-EksG6gFY3L1eFMROS/7Wzgrii5mBAFe4rIr3r2BTfo7bcc+DWwFZ4OJ/miOuHJO/A85HwyI4eQ0F6IKXesO7Fg==", + "dev": true, + "requires": { + "@types/eslint-scope": "^3.7.7", + "@types/estree": "^1.0.6", + "@webassemblyjs/ast": "^1.14.1", + "@webassemblyjs/wasm-edit": "^1.14.1", + "@webassemblyjs/wasm-parser": "^1.14.1", + "acorn": "^8.14.0", + "browserslist": "^4.24.0", + "chrome-trace-event": "^1.0.2", + "enhanced-resolve": "^5.17.1", + "es-module-lexer": "^1.2.1", + "eslint-scope": "5.1.1", + "events": "^3.2.0", + "glob-to-regexp": "^0.4.1", + "graceful-fs": "^4.2.11", + "json-parse-even-better-errors": "^2.3.1", + "loader-runner": "^4.2.0", + "mime-types": "^2.1.27", + "neo-async": "^2.6.2", + "schema-utils": "^3.2.0", + "tapable": "^2.1.1", + "terser-webpack-plugin": "^5.3.10", + "watchpack": "^2.4.1", + "webpack-sources": "^3.2.3" + } } } }, - "@gar/promisify": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/@gar/promisify/-/promisify-1.1.3.tgz", - "integrity": "sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==" - }, "@humanwhocodes/config-array": { "version": "0.11.8", "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz", @@ -18172,6 +20226,88 @@ "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", "dev": true }, + "@isaacs/cliui": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", + "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "dev": true, + "requires": { + "string-width": "^5.1.2", + "string-width-cjs": "npm:string-width@^4.2.0", + "strip-ansi": "^7.0.1", + "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", + "wrap-ansi": "^8.1.0", + "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" + }, + "dependencies": { + "ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "dev": true + }, + "ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true + }, + "emoji-regex": { + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "dev": true + }, + "string-width": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "dev": true, + "requires": { + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" + } + }, + "strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "dev": true, + "requires": { + "ansi-regex": "^6.0.1" + } + }, + "wrap-ansi": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "dev": true, + "requires": { + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" + } + } + } + }, + "@isaacs/fs-minipass": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", + "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", + "dev": true, + "requires": { + "minipass": "^7.0.4" + }, + "dependencies": { + "minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true + } + } + }, "@istanbuljs/load-nyc-config": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz", @@ -18232,24 +20368,24 @@ "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==" }, "@jridgewell/source-map": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.2.tgz", - "integrity": "sha512-m7O9o2uR8k2ObDysZYzdfhb08VuEml5oWGiosa1VdaPZ/A6QyPkAJuwN0Q1lhULOf6B7MtQmHENS743hWtCrgw==", + "version": "0.3.6", + "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.6.tgz", + "integrity": "sha512-1ZJTZebgqllO79ue2bm3rIGud/bOe0pP5BjSRCRxxYkEZS8STV7zN84UBbiYu7jy+eCKSnVIUgoWWE/tt+shMQ==", "dev": true, "requires": { - "@jridgewell/gen-mapping": "^0.3.0", - "@jridgewell/trace-mapping": "^0.3.9" + "@jridgewell/gen-mapping": "^0.3.5", + "@jridgewell/trace-mapping": "^0.3.25" }, "dependencies": { "@jridgewell/gen-mapping": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.2.tgz", - "integrity": "sha512-mh65xKQAzI6iBcFzwv28KVWSmCkdRBWoOh+bYQGW3+6OZvbbN3TqMGo5hqYxQniRcH9F2VZIoJCm4pa3BPDK/A==", + "version": "0.3.8", + "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz", + "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==", "dev": true, "requires": { - "@jridgewell/set-array": "^1.0.1", + "@jridgewell/set-array": "^1.2.1", "@jridgewell/sourcemap-codec": "^1.4.10", - "@jridgewell/trace-mapping": "^0.3.9" + "@jridgewell/trace-mapping": "^0.3.24" } } } @@ -18774,25 +20910,365 @@ "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==", "dev": true, "requires": { - "has-flag": "^4.0.0" + "has-flag": "^4.0.0" + } + }, + "yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "dev": true + } + } + }, + "@opentelemetry/api": { + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", + "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==" + }, + "@opentelemetry/api-logs": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api-logs/-/api-logs-0.53.0.tgz", + "integrity": "sha512-8HArjKx+RaAI8uEIgcORbZIPklyh1YLjPSBus8hjRmvLi6DeFzgOcdZ7KwPabKj8mXF8dX0hyfAyGfycz0DbFw==", + "requires": { + "@opentelemetry/api": "^1.0.0" + } + }, + "@opentelemetry/context-zone": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-zone/-/context-zone-1.26.0.tgz", + "integrity": "sha512-ckBEUKo7jZnZ2jARcntv365413cTe9Ra7uMQWvdk10K3tWOUsLnBG8dSMRbkaA+XL9hWGrZ1MMI8UXrwnbp0FA==", + "requires": { + "@opentelemetry/context-zone-peer-dep": "1.26.0", + "zone.js": "^0.11.0 || ^0.12.0 || ^0.13.0 || ^0.14.0" + } + }, + "@opentelemetry/context-zone-peer-dep": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/context-zone-peer-dep/-/context-zone-peer-dep-1.26.0.tgz", + "integrity": "sha512-Mgdy0WsHR52h5AnN2nhZJrelDK6unOFr8aSn3ToETk6DLSOijayOi0M0SZM72qhWr7iFrJ1oxGEIK8uzVaSC8Q==", + "requires": {} + }, + "@opentelemetry/core": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-1.26.0.tgz", + "integrity": "sha512-1iKxXXE8415Cdv0yjG3G6hQnB5eVEsJce3QaawX8SjDn0mAS0ZM8fAbZZJD4ajvhC15cePvosSCut404KrIIvQ==", + "requires": { + "@opentelemetry/semantic-conventions": "1.27.0" + } + }, + "@opentelemetry/exporter-trace-otlp-http": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/exporter-trace-otlp-http/-/exporter-trace-otlp-http-0.53.0.tgz", + "integrity": "sha512-m7F5ZTq+V9mKGWYpX8EnZ7NjoqAU7VemQ1E2HAG+W/u0wpY1x0OmbxAXfGKFHCspdJk8UKlwPGrpcB8nay3P8A==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/otlp-exporter-base": "0.53.0", + "@opentelemetry/otlp-transformer": "0.53.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0" + } + }, + "@opentelemetry/instrumentation": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation/-/instrumentation-0.53.0.tgz", + "integrity": "sha512-DMwg0hy4wzf7K73JJtl95m/e0boSoWhH07rfvHvYzQtBD3Bmv0Wc1x733vyZBqmFm8OjJD0/pfiUg1W3JjFX0A==", + "requires": { + "@opentelemetry/api-logs": "0.53.0", + "@types/shimmer": "^1.2.0", + "import-in-the-middle": "^1.8.1", + "require-in-the-middle": "^7.1.1", + "semver": "^7.5.2", + "shimmer": "^1.2.1" + }, + "dependencies": { + "semver": { + "version": "7.6.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz", + "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==" + } + } + }, + "@opentelemetry/instrumentation-fetch": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation-fetch/-/instrumentation-fetch-0.53.0.tgz", + "integrity": "sha512-Sayp/Oypr0lyTgOKide/Dz4ovqDWPdmazapCMyfsVpXpV9zrH2kbdO2vAKUMx9vF98vxsqcxXucf4z54WXWZ8A==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/instrumentation": "0.53.0", + "@opentelemetry/sdk-trace-web": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "dependencies": { + "@opentelemetry/sdk-trace-web": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.26.0.tgz", + "integrity": "sha512-sxeKPcG/gUyxZ8iB8X1MI8/grfSCGgo1n2kxOE73zjVaO9yW/7JuVC3gqUaWRjtZ6VD/V3lo2/ZSwMlm6n2mdg==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + } + } + } + }, + "@opentelemetry/instrumentation-xml-http-request": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/instrumentation-xml-http-request/-/instrumentation-xml-http-request-0.53.0.tgz", + "integrity": "sha512-vkALs8zdEUU3GnGvq1rzP0RK3+Fsk2jyzY6X/a+ibbo/miCmmeQNHX+fBRNs/3Offquj19M0qD+olNU9CJloqg==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/instrumentation": "0.53.0", + "@opentelemetry/sdk-trace-web": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + }, + "dependencies": { + "@opentelemetry/sdk-trace-web": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.26.0.tgz", + "integrity": "sha512-sxeKPcG/gUyxZ8iB8X1MI8/grfSCGgo1n2kxOE73zjVaO9yW/7JuVC3gqUaWRjtZ6VD/V3lo2/ZSwMlm6n2mdg==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + } + } + } + }, + "@opentelemetry/otlp-exporter-base": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-exporter-base/-/otlp-exporter-base-0.53.0.tgz", + "integrity": "sha512-UCWPreGQEhD6FjBaeDuXhiMf6kkBODF0ZQzrk/tuQcaVDJ+dDQ/xhJp192H9yWnKxVpEjFrSSLnpqmX4VwX+eA==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/otlp-transformer": "0.53.0" + } + }, + "@opentelemetry/otlp-transformer": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/otlp-transformer/-/otlp-transformer-0.53.0.tgz", + "integrity": "sha512-rM0sDA9HD8dluwuBxLetUmoqGJKSAbWenwD65KY9iZhUxdBHRLrIdrABfNDP7aiTjcgK8XFyTn5fhDz7N+W6DA==", + "requires": { + "@opentelemetry/api-logs": "0.53.0", + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/sdk-logs": "0.53.0", + "@opentelemetry/sdk-metrics": "1.26.0", + "@opentelemetry/sdk-trace-base": "1.26.0", + "protobufjs": "^7.3.0" + } + }, + "@opentelemetry/resources": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-1.26.0.tgz", + "integrity": "sha512-CPNYchBE7MBecCSVy0HKpUISEeJOniWqcHaAHpmasZ3j9o6V3AyBzhRc90jdmemq0HOxDr6ylhUbDhBqqPpeNw==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + } + }, + "@opentelemetry/sdk-logs": { + "version": "0.53.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-logs/-/sdk-logs-0.53.0.tgz", + "integrity": "sha512-dhSisnEgIj/vJZXZV6f6KcTnyLDx/VuQ6l3ejuZpMpPlh9S1qMHiZU9NMmOkVkwwHkMy3G6mEBwdP23vUZVr4g==", + "requires": { + "@opentelemetry/api-logs": "0.53.0", + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0" + } + }, + "@opentelemetry/sdk-metrics": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-1.26.0.tgz", + "integrity": "sha512-0SvDXmou/JjzSDOjUmetAAvcKQW6ZrvosU0rkbDGpXvvZN+pQF6JbK/Kd4hNdK4q/22yeruqvukXEJyySTzyTQ==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0" + } + }, + "@opentelemetry/sdk-trace-base": { + "version": "1.26.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.26.0.tgz", + "integrity": "sha512-olWQldtvbK4v22ymrKLbIcBi9L2SpMO84sCPY54IVsJhP9fRsxJT194C/AVaAuJzLE30EdhhM1VmvVYR7az+cw==", + "requires": { + "@opentelemetry/core": "1.26.0", + "@opentelemetry/resources": "1.26.0", + "@opentelemetry/semantic-conventions": "1.27.0" + } + }, + "@opentelemetry/sdk-trace-web": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-web/-/sdk-trace-web-1.30.0.tgz", + "integrity": "sha512-tSsPbaOQqmkfSkRkMnv1T8au2hwlv3v5ZUGmRwc7zIL1hokhZKg5qhqTsvrWvRENlZ7+J9+cXZFKIMNKHodyhQ==", + "requires": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/sdk-trace-base": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + }, + "dependencies": { + "@opentelemetry/core": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-1.30.0.tgz", + "integrity": "sha512-Q/3u/K73KUjTCnFUP97ZY+pBjQ1kPEgjOfXj/bJl8zW7GbXdkw6cwuyZk6ZTXkVgCBsYRYUzx4fvYK1jxdb9MA==", + "requires": { + "@opentelemetry/semantic-conventions": "1.28.0" + } + }, + "@opentelemetry/resources": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-1.30.0.tgz", + "integrity": "sha512-5mGMjL0Uld/99t7/pcd7CuVtJbkARckLVuiOX84nO8RtLtIz0/J6EOHM2TGvPZ6F4K+XjUq13gMx14w80SVCQg==", + "requires": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + } + }, + "@opentelemetry/sdk-trace-base": { + "version": "1.30.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.30.0.tgz", + "integrity": "sha512-RKQDaDIkV7PwizmHw+rE/FgfB2a6MBx+AEVVlAHXRG1YYxLiBpPX2KhmoB99R5vA4b72iJrjle68NDWnbrE9Dg==", + "requires": { + "@opentelemetry/core": "1.30.0", + "@opentelemetry/resources": "1.30.0", + "@opentelemetry/semantic-conventions": "1.28.0" + } + }, + "@opentelemetry/semantic-conventions": { + "version": "1.28.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.28.0.tgz", + "integrity": "sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA==" + } + } + }, + "@opentelemetry/semantic-conventions": { + "version": "1.27.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/semantic-conventions/-/semantic-conventions-1.27.0.tgz", + "integrity": "sha512-sAay1RrB+ONOem0OZanAR1ZI/k7yDpnOQSQmTMuGImUQb2y8EbSaCJ94FQluM74xoU03vlb2d2U90hZluL6nQg==" + }, + "@parcel/watcher": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.0.4.tgz", + "integrity": "sha512-cTDi+FUDBIUOBKEtj+nhiJ71AZVlkAsQFuGQTun5tV9mwQBQgZvhCzG+URPQc8myeN32yRVZEfVAPCs1RW+Jvg==", + "dev": true, + "requires": { + "node-addon-api": "^3.2.1", + "node-gyp-build": "^4.3.0" + } + }, + "@pkgjs/parseargs": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", + "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "dev": true, + "optional": true + }, + "@protobufjs/aspromise": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz", + "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ==" + }, + "@protobufjs/base64": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz", + "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==" + }, + "@protobufjs/codegen": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", + "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==" + }, + "@protobufjs/eventemitter": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz", + "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==" + }, + "@protobufjs/fetch": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz", + "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==", + "requires": { + "@protobufjs/aspromise": "^1.1.1", + "@protobufjs/inquire": "^1.1.0" + } + }, + "@protobufjs/float": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz", + "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==" + }, + "@protobufjs/inquire": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", + "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==" + }, + "@protobufjs/path": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz", + "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==" + }, + "@protobufjs/pool": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz", + "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==" + }, + "@protobufjs/utf8": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", + "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==" + }, + "@rollup/plugin-babel": { + "version": "6.0.4", + "resolved": "https://registry.npmjs.org/@rollup/plugin-babel/-/plugin-babel-6.0.4.tgz", + "integrity": "sha512-YF7Y52kFdFT/xVSuVdjkV5ZdX/3YtmX0QulG+x0taQOtJdHYzVU61aSSkAgVJ7NOv6qPkIYiJSgSWWN/DM5sGw==", + "dev": true, + "requires": { + "@babel/helper-module-imports": "^7.18.6", + "@rollup/pluginutils": "^5.0.1" + } + }, + "@rollup/plugin-node-resolve": { + "version": "15.3.1", + "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.3.1.tgz", + "integrity": "sha512-tgg6b91pAybXHJQMAAwW9VuWBO6Thi+q7BCNARLwSqlmsHz0XYURtGvh/AuwSADXSI4h/2uHbs7s4FzlZDGSGA==", + "dev": true, + "requires": { + "@rollup/pluginutils": "^5.0.1", + "@types/resolve": "1.20.2", + "deepmerge": "^4.2.2", + "is-module": "^1.0.0", + "resolve": "^1.22.1" + }, + "dependencies": { + "resolve": { + "version": "1.22.10", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz", + "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==", + "dev": true, + "requires": { + "is-core-module": "^2.16.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" } - }, - "yallist": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", - "dev": true } } }, - "@parcel/watcher": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.0.4.tgz", - "integrity": "sha512-cTDi+FUDBIUOBKEtj+nhiJ71AZVlkAsQFuGQTun5tV9mwQBQgZvhCzG+URPQc8myeN32yRVZEfVAPCs1RW+Jvg==", + "@rollup/pluginutils": { + "version": "5.1.4", + "resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.1.4.tgz", + "integrity": "sha512-USm05zrsFxYLPdWWq+K3STlWiT/3ELn3RcV5hJMghpeAIhxfsUIg6mt12CBJBInWMV4VneoV7SfGv8xIwo2qNQ==", "dev": true, "requires": { - "node-addon-api": "^3.2.1", - "node-gyp-build": "^4.3.0" + "@types/estree": "^1.0.0", + "estree-walker": "^2.0.2", + "picomatch": "^4.0.2" + }, + "dependencies": { + "picomatch": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz", + "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==", + "dev": true + } } }, "@schematics/angular": { @@ -19133,9 +21609,9 @@ } }, "@types/eslint-scope": { - "version": "3.7.4", - "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.4.tgz", - "integrity": "sha512-9K4zoImiZc3HlIp6AVUDE4CWYx22a+lhSZMYNpbjW04+YF0KWj4pJXnEMjdnFTiQibFFmElcsasJXDbdI/EPhA==", + "version": "3.7.7", + "resolved": "https://registry.npmjs.org/@types/eslint-scope/-/eslint-scope-3.7.7.tgz", + "integrity": "sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==", "dev": true, "requires": { "@types/eslint": "*", @@ -19143,9 +21619,9 @@ } }, "@types/estree": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.0.tgz", - "integrity": "sha512-WulqXMDUTYAXCjZnk6JtIHPigp55cVtDgDrO2gHRwhyJto21+1zbVCtOYB2L1F9w4qCQ0rOGWBnBe0FNTiEJIQ==", + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz", + "integrity": "sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw==", "dev": true }, "@types/express": { @@ -19268,6 +21744,12 @@ "integrity": "sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw==", "dev": true }, + "@types/resolve": { + "version": "1.20.2", + "resolved": "https://registry.npmjs.org/@types/resolve/-/resolve-1.20.2.tgz", + "integrity": "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==", + "dev": true + }, "@types/retry": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/@types/retry/-/retry-0.12.0.tgz", @@ -19293,6 +21775,11 @@ "@types/node": "*" } }, + "@types/shimmer": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@types/shimmer/-/shimmer-1.2.0.tgz", + "integrity": "sha512-UE7oxhQLLd9gub6JKIAhDq06T0F6FnztwMNRvYgjeQSBeMc1ZG/tA47EwfduvkuQS8apbkM/lpLpWsaCeYsXVg==" + }, "@types/sockjs": { "version": "0.3.33", "resolved": "https://registry.npmjs.org/@types/sockjs/-/sockjs-0.3.33.tgz", @@ -19738,10 +22225,9 @@ } }, "acorn": { - "version": "8.8.1", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.1.tgz", - "integrity": "sha512-7zFpHzhnqYKrkYdUjF1HI1bzd0VygEGX8lFk4k5zVMqHEoES+P+7TKI+EvLO9WVMJ8eekdO0aDEK044xTXwPPA==", - "dev": true + "version": "8.14.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz", + "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==" }, "acorn-import-assertions": { "version": "1.8.0", @@ -19750,6 +22236,12 @@ "dev": true, "requires": {} }, + "acorn-import-attributes": { + "version": "1.9.5", + "resolved": "https://registry.npmjs.org/acorn-import-attributes/-/acorn-import-attributes-1.9.5.tgz", + "integrity": "sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==", + "requires": {} + }, "acorn-jsx": { "version": "5.3.2", "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz", @@ -19880,6 +22372,12 @@ "color-convert": "^1.9.0" } }, + "ansis": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/ansis/-/ansis-3.4.0.tgz", + "integrity": "sha512-zVESKSQhWaPhGaWiKj1k+UqvpC7vPBBgG3hjQEeIx2YGzylWt8qA3ziAzRuUtm0OnaGsZKjIvfl8D/sJTt/I0w==", + "dev": true + }, "anymatch": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", @@ -20231,14 +22729,14 @@ } }, "browserslist": { - "version": "4.21.4", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.4.tgz", - "integrity": "sha512-CBHJJdDmgjl3daYjN5Cp5kbTf1mUhZoS+beLklHIvkOWscs83YAhLlF3Wsh/lciQYAcbBJgTOD44VtG31ZM4Hw==", + "version": "4.24.3", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.3.tgz", + "integrity": "sha512-1CPmv8iobE2fyRMV97dAcMVegvvWKxmq94hkLiAkUGwKVTyDLw33K+ZxiFrREKmmps4rIw6grcCFCnTMSZ/YiA==", "requires": { - "caniuse-lite": "^1.0.30001400", - "electron-to-chromium": "^1.4.251", - "node-releases": "^2.0.6", - "update-browserslist-db": "^1.0.9" + "caniuse-lite": "^1.0.30001688", + "electron-to-chromium": "^1.5.73", + "node-releases": "^2.0.19", + "update-browserslist-db": "^1.1.1" } }, "buffer": { @@ -20343,9 +22841,9 @@ "dev": true }, "caniuse-lite": { - "version": "1.0.30001446", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001446.tgz", - "integrity": "sha512-fEoga4PrImGcwUUGEol/PoFCSBnSkA9drgdkxXkJLsUBOnJ8rs3zDv6ApqYXGQFOyMPsjh79naWhF4DAxbF8rw==" + "version": "1.0.30001690", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001690.tgz", + "integrity": "sha512-5ExiE3qQN6oF8Clf8ifIDcMRCRE/dMGcETG/XGMD8/XiXm6HXQgQTh1yZYLXXpSOsEUlJm1Xr7kGULZTuGtP/w==" }, "cfb": { "version": "1.2.2", @@ -20404,6 +22902,11 @@ "dev": true, "requires": {} }, + "cjs-module-lexer": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.4.1.tgz", + "integrity": "sha512-cuSVIHi9/9E/+821Qjdvngor+xpnlwnuwIyZOaLmHBVdXL+gP+I6QQB9VkO7RI77YIcTV+S1W9AreJ5eN63JBA==" + }, "clean-stack": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz", @@ -20758,6 +23261,14 @@ "parse-json": "^5.0.0", "path-type": "^4.0.0", "yaml": "^1.10.0" + }, + "dependencies": { + "yaml": { + "version": "1.10.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", + "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", + "dev": true + } } }, "crc-32": { @@ -20836,6 +23347,15 @@ } } }, + "cross-fetch": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.1.0.tgz", + "integrity": "sha512-uKm5PU+MHTootlWEY+mZ4vvXoCn4fLQxT9dSc1sXVMSFkINTJVN8cAQROpwcKm8bJ/c7rgZVIBWzH5T78sNZZw==", + "dev": true, + "requires": { + "node-fetch": "^2.7.0" + } + }, "cross-spawn": { "version": "7.0.3", "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", @@ -21247,6 +23767,12 @@ "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==", "dev": true }, + "deepmerge": { + "version": "4.3.1", + "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz", + "integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==", + "dev": true + }, "default-gateway": { "version": "6.0.3", "resolved": "https://registry.npmjs.org/default-gateway/-/default-gateway-6.0.3.tgz", @@ -21472,6 +23998,12 @@ "integrity": "sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg==", "dev": true }, + "eastasianwidth": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "dev": true + }, "ee-first": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", @@ -21488,9 +24020,9 @@ } }, "electron-to-chromium": { - "version": "1.4.284", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz", - "integrity": "sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==" + "version": "1.5.76", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.76.tgz", + "integrity": "sha512-CjVQyG7n7Sr+eBXE86HIulnL5N8xZY1sgmOPGuq/F0Rr0FJq63lg0kEtOIDfZBk44FnDLf6FUJ+dsJcuiUDdDQ==" }, "emoji-regex": { "version": "8.0.0", @@ -21561,9 +24093,9 @@ "dev": true }, "enhanced-resolve": { - "version": "5.12.0", - "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.12.0.tgz", - "integrity": "sha512-QHTXI/sZQmko1cbDoNAa3mJ5qhWUUNAq3vR0/YiD379fWQrcfuoX1+HW2S0MTt7XmoPLapdaDKUtelUSPic7hQ==", + "version": "5.18.0", + "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.0.tgz", + "integrity": "sha512-0/r0MySGYG8YqlayBZ6MuCfECmHFdJ5qyPh8s8wa5Hnm6SaFLSK1VYCbj+NKp090Nm1caZhD+QTnmxO7esYGyQ==", "dev": true, "requires": { "graceful-fs": "^4.2.4", @@ -21881,9 +24413,9 @@ "optional": true }, "escalade": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz", - "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==" + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==" }, "escape-html": { "version": "1.0.3", @@ -22445,6 +24977,12 @@ "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==", "dev": true }, + "estree-walker": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz", + "integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==", + "dev": true + }, "esutils": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", @@ -22827,6 +25365,24 @@ "is-callable": "^1.1.3" } }, + "foreground-child": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz", + "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==", + "dev": true, + "requires": { + "cross-spawn": "^7.0.0", + "signal-exit": "^4.0.1" + }, + "dependencies": { + "signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "dev": true + } + } + }, "form-data": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", @@ -23058,9 +25614,9 @@ } }, "graceful-fs": { - "version": "4.2.10", - "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz", - "integrity": "sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==" + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==" }, "grapheme-splitter": { "version": "1.0.4", @@ -23078,6 +25634,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==", + "dev": true, "requires": { "function-bind": "^1.1.1" } @@ -23149,7 +25706,6 @@ "version": "2.0.2", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", - "dev": true, "requires": { "function-bind": "^1.1.2" } @@ -23410,6 +25966,17 @@ } } }, + "import-in-the-middle": { + "version": "1.12.0", + "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.12.0.tgz", + "integrity": "sha512-yAgSE7GmtRcu4ZUSFX/4v69UGXwugFFSdIQJ14LHPOPPQrWv8Y7O9PHsw8Ovk7bKCLe4sjXMbZFqGFcLHpZ89w==", + "requires": { + "acorn": "^8.8.2", + "acorn-import-attributes": "^1.9.5", + "cjs-module-lexer": "^1.2.2", + "module-details-from-path": "^1.0.3" + } + }, "imurmurhash": { "version": "0.1.4", "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", @@ -23598,11 +26165,11 @@ "dev": true }, "is-core-module": { - "version": "2.11.0", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz", - "integrity": "sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==", + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", "requires": { - "has": "^1.0.3" + "hasown": "^2.0.2" } }, "is-date-object": { @@ -23647,6 +26214,12 @@ "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz", "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==" }, + "is-module": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/is-module/-/is-module-1.0.0.tgz", + "integrity": "sha512-51ypPSPCoTEIN9dy5Oy+h4pShgJmPCygKfyRCISBI+JoWT/2oJvK8QPxmwv7b/p239jXrm9M1mlQbyKJ5A152g==", + "dev": true + }, "is-negative-zero": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/is-negative-zero/-/is-negative-zero-2.0.2.tgz", @@ -23885,6 +26458,16 @@ "istanbul-lib-report": "^3.0.0" } }, + "jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "dev": true, + "requires": { + "@isaacs/cliui": "^8.0.2", + "@pkgjs/parseargs": "^0.11.0" + } + }, "jake": { "version": "10.8.5", "resolved": "https://registry.npmjs.org/jake/-/jake-10.8.5.tgz", @@ -24488,6 +27071,11 @@ } } }, + "long": { + "version": "5.2.3", + "resolved": "https://registry.npmjs.org/long/-/long-5.2.3.tgz", + "integrity": "sha512-lcHwpNoggQTObv5apGNCTdJrO69eHOZMi4BNC+rTLER8iHAqGrUVeLh/irVIM7zTw2bOXA8T6uNPeujwOLg/2Q==" + }, "lru-cache": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz", @@ -24789,6 +27377,11 @@ "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz", "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==" }, + "module-details-from-path": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/module-details-from-path/-/module-details-from-path-1.0.3.tgz", + "integrity": "sha512-ySViT69/76t8VhE1xXHK6Ch4NcDd26gx0MzKXLO+F7NOtnqH68d9zF94nT8ZWSxXh8ELOERsnJO/sWt1xZYw5A==" + }, "ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", @@ -24889,6 +27482,15 @@ "integrity": "sha512-mmcei9JghVNDYydghQmeDX8KoAm0FAiYyIcUt/N4nhyAipB17pllZQDOJD2fotxABnt4Mdz+dKTO7eftLg4d0A==", "dev": true }, + "node-fetch": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "dev": true, + "requires": { + "whatwg-url": "^5.0.0" + } + }, "node-forge": { "version": "1.3.1", "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", @@ -24919,9 +27521,15 @@ "dev": true }, "node-releases": { - "version": "2.0.8", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.8.tgz", - "integrity": "sha512-dFSmB8fFHEH/s81Xi+Y/15DQY6VHW81nXRj86EMSL3lmuTmK1e+aT4wrFCkTbm+gSwkw4KpX+rT/pMM2c1mF+A==" + "version": "2.0.19", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz", + "integrity": "sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==" + }, + "node-tar": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/node-tar/-/node-tar-1.0.0.tgz", + "integrity": "sha512-cowng5lugLQ3Bb5wWYfWM3067/S9xHDwCw3RWbqn0swqmgApDwklyg31XRci97cT7gNbVHmxoXQSkr2zDi5n+g==", + "dev": true }, "nopt": { "version": "5.0.0", @@ -25437,6 +28045,12 @@ "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==", "dev": true }, + "package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true + }, "pacote": { "version": "12.0.3", "resolved": "https://registry.npmjs.org/pacote/-/pacote-12.0.3.tgz", @@ -25582,6 +28196,30 @@ "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, + "path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "dev": true, + "requires": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "dependencies": { + "lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true + }, + "minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true + } + } + }, "path-to-regexp": { "version": "0.1.10", "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", @@ -25595,9 +28233,9 @@ "dev": true }, "picocolors": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz", - "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==" + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==" }, "picomatch": { "version": "2.3.1", @@ -26099,6 +28737,35 @@ "retry": "^0.12.0" } }, + "protobufjs": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.4.0.tgz", + "integrity": "sha512-mRUWCc3KUU4w1jU8sGxICXH/gNS94DvI1gxqDvBzhj1JpcsimQkYiOJfwsPUykUI5ZaspFbSgmBLER8IrQ3tqw==", + "requires": { + "@protobufjs/aspromise": "^1.1.2", + "@protobufjs/base64": "^1.1.2", + "@protobufjs/codegen": "^2.0.4", + "@protobufjs/eventemitter": "^1.1.0", + "@protobufjs/fetch": "^1.1.0", + "@protobufjs/float": "^1.0.2", + "@protobufjs/inquire": "^1.1.0", + "@protobufjs/path": "^1.1.2", + "@protobufjs/pool": "^1.1.0", + "@protobufjs/utf8": "^1.1.0", + "@types/node": ">=13.7.0", + "long": "^5.0.0" + }, + "dependencies": { + "@types/node": { + "version": "22.10.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz", + "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==", + "requires": { + "undici-types": "~6.20.0" + } + } + } + }, "proxy-addr": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", @@ -26335,6 +29002,41 @@ "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==" }, + "require-in-the-middle": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/require-in-the-middle/-/require-in-the-middle-7.4.0.tgz", + "integrity": "sha512-X34iHADNbNDfr6OTStIAHWSAvvKQRYgLO6duASaVf7J2VA3lvmNYboAHOuLC2huav1IwgZJtyEcJCKVzFxOSMQ==", + "requires": { + "debug": "^4.3.5", + "module-details-from-path": "^1.0.3", + "resolve": "^1.22.8" + }, + "dependencies": { + "debug": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "requires": { + "ms": "^2.1.3" + } + }, + "ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "resolve": { + "version": "1.22.10", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz", + "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==", + "requires": { + "is-core-module": "^2.16.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + } + } + } + }, "require-relative": { "version": "0.8.7", "resolved": "https://registry.npmjs.org/require-relative/-/require-relative-0.8.7.tgz", @@ -26783,6 +29485,11 @@ "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", "dev": true }, + "shimmer": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", + "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==" + }, "side-channel": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz", @@ -27050,6 +29757,17 @@ "strip-ansi": "^6.0.1" } }, + "string-width-cjs": { + "version": "npm:string-width@4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "requires": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + } + }, "string.prototype.trimend": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.6.tgz", @@ -27087,6 +29805,23 @@ } } }, + "strip-ansi-cjs": { + "version": "npm:strip-ansi@6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "requires": { + "ansi-regex": "^5.0.1" + }, + "dependencies": { + "ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true + } + } + }, "strip-bom": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz", @@ -27224,52 +29959,46 @@ } }, "terser-webpack-plugin": { - "version": "5.3.6", - "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.6.tgz", - "integrity": "sha512-kfLFk+PoLUQIbLmB1+PZDMRSZS99Mp+/MHqDNmMA6tOItzRt+Npe3E+fsMs5mfcM0wCtrrdU387UnV+vnSffXQ==", + "version": "5.3.11", + "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.11.tgz", + "integrity": "sha512-RVCsMfuD0+cTt3EwX8hSl2Ks56EbFHWmhluwcqoPKtBnfjiT6olaq7PRIRfhyU8nnC2MrnDrBLfrD/RGE+cVXQ==", "dev": true, "requires": { - "@jridgewell/trace-mapping": "^0.3.14", + "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", - "schema-utils": "^3.1.1", - "serialize-javascript": "^6.0.0", - "terser": "^5.14.1" + "schema-utils": "^4.3.0", + "serialize-javascript": "^6.0.2", + "terser": "^5.31.1" }, "dependencies": { - "ajv": { - "version": "6.12.6", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", - "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "commander": { + "version": "2.20.3", + "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", + "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", + "dev": true + }, + "schema-utils": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.0.tgz", + "integrity": "sha512-Gf9qqc58SpCA/xdziiHz35F4GNIWYWZrEshUc/G/r5BnLph6xpKuLeoJoQuj5WfBIx/eQLf+hmVPYHaxJu7V2g==", "dev": true, "requires": { - "fast-deep-equal": "^3.1.1", - "fast-json-stable-stringify": "^2.0.0", - "json-schema-traverse": "^0.4.1", - "uri-js": "^4.2.2" + "@types/json-schema": "^7.0.9", + "ajv": "^8.9.0", + "ajv-formats": "^2.1.1", + "ajv-keywords": "^5.1.0" } }, - "ajv-keywords": { - "version": "3.5.2", - "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz", - "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==", - "dev": true, - "requires": {} - }, - "json-schema-traverse": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", - "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", - "dev": true - }, - "schema-utils": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.1.1.tgz", - "integrity": "sha512-Y5PQxS4ITlC+EahLuXaY86TXfR7Dc5lw294alXOq86JAHCihAIZfqv8nNCWvaEJvaC51uN9hbLGeV0cFBdH+Fw==", + "terser": { + "version": "5.37.0", + "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz", + "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==", "dev": true, "requires": { - "@types/json-schema": "^7.0.8", - "ajv": "^6.12.5", - "ajv-keywords": "^3.5.2" + "@jridgewell/source-map": "^0.3.3", + "acorn": "^8.8.2", + "commander": "^2.20.0", + "source-map-support": "~0.5.20" } } } @@ -27330,6 +30059,12 @@ "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", "dev": true }, + "tr46": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==", + "dev": true + }, "tree-kill": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz", @@ -27450,6 +30185,11 @@ "which-boxed-primitive": "^1.0.2" } }, + "undici-types": { + "version": "6.20.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz", + "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==" + }, "unicode-canonical-property-names-ecmascript": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz", @@ -27507,12 +30247,12 @@ "dev": true }, "update-browserslist-db": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz", - "integrity": "sha512-OztqDenkfFkbSG+tRxBeAnCVPckDBcvibKd35yDONx6OU8N7sqgwc7rCbkJ/WcYtVRZ4ba68d6byhC21GFh7sQ==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.1.tgz", + "integrity": "sha512-R8UzCaa9Az+38REPiJ1tXlImTJXlVfgHZsglwBD/k6nj76ctsH1E3q4doGrukiLQd3sGQYu56r5+lo5r94l29A==", "requires": { - "escalade": "^3.1.1", - "picocolors": "^1.0.0" + "escalade": "^3.2.0", + "picocolors": "^1.1.0" } }, "uri-js": { @@ -27606,9 +30346,9 @@ } }, "watchpack": { - "version": "2.4.0", - "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.0.tgz", - "integrity": "sha512-Lcvm7MGST/4fup+ifyKi2hjyIAwcdI4HRgtvTpIUxBRhB+RFtUh8XtDOxUfctVCnhVi+QQj49i91OyvzkJl6cg==", + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.2.tgz", + "integrity": "sha512-TnbFSbcOCcDgjZ4piURLCbJ3nJhznVh9kw6F6iokjiFPl8ONxe9A6nMDVXDiNbrSfLILs6vB07F7wLBrwPYzJw==", "dev": true, "requires": { "glob-to-regexp": "^0.4.1", @@ -27632,6 +30372,17 @@ "defaults": "^1.0.3" } }, + "web-vitals": { + "version": "4.2.4", + "resolved": "https://registry.npmjs.org/web-vitals/-/web-vitals-4.2.4.tgz", + "integrity": "sha512-r4DIlprAGwJ7YM11VZp4R884m0Vmgr6EAKe3P+kO0PPj3Unqyvv59rczf6UiGcb9Z8QxZVcqKNwv/g0WNdWwsw==" + }, + "webidl-conversions": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==", + "dev": true + }, "webpack": { "version": "5.70.0", "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.70.0.tgz", @@ -27843,6 +30594,16 @@ "integrity": "sha512-OqedPIGOfsDlo31UNwYbCFMSaO9m9G/0faIHj5/dZFDMFqPTcx6UwqyOy3COEaEOg/9VsGIpdqn62W5KhoKSpg==", "dev": true }, + "whatwg-url": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", + "dev": true, + "requires": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, "which": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", @@ -27941,6 +30702,43 @@ } } }, + "wrap-ansi-cjs": { + "version": "npm:wrap-ansi@7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "requires": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "dependencies": { + "ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "requires": { + "color-convert": "^2.0.1" + } + }, + "color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "requires": { + "color-name": "~1.1.4" + } + }, + "color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + } + } + }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", @@ -27978,10 +30776,9 @@ "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==" }, "yaml": { - "version": "1.10.2", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", - "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", - "dev": true + "version": "2.8.1", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", + "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==" }, "yamljs": { "version": "0.3.0", diff --git a/package.json b/package.json index 548035049..8a34fc8a1 100644 --- a/package.json +++ b/package.json @@ -24,6 +24,8 @@ "@angular/platform-browser": "^13.0.0", "@angular/platform-browser-dynamic": "^13.0.0", "@angular/router": "^13.0.0", + "@grafana/faro-web-sdk": "^1.12.2", + "@grafana/faro-web-tracing": "^1.12.2", "@ngneat/until-destroy": "^10.0.0-beta.0", "d3": "^7.5.0", "js-yaml": "^4.1.0", @@ -31,6 +33,7 @@ "rxjs": "~7.5.0", "tslib": "^2.8.1", "xlsx": "^0.18.5", + "yaml": "^2.8.1", "yamljs": "^0.3.0", "zone.js": "~0.11.4" }, @@ -42,6 +45,7 @@ "@angular-eslint/schematics": "^13.0.0", "@angular-eslint/template-parser": "^13.0.0", "@angular/compiler-cli": "^13.0.0", + "@grafana/faro-webpack-plugin": "^0.1.1", "@types/d3": "^7.4.0", "@types/jasmine": "~3.10.0", "@types/js-yaml": "^4.0.9", diff --git a/src/app/app-routing.module.ts b/src/app/app-routing.module.ts index 2d8dbdd32..74f244752 100644 --- a/src/app/app-routing.module.ts +++ b/src/app/app-routing.module.ts @@ -1,16 +1,17 @@ import { Component, NgModule } from '@angular/core'; import { RouterModule, Routes } from '@angular/router'; -import { AboutUsComponent } from './component/about-us/about-us.component'; -import { UserdayComponent } from './component/userday/userday.component'; -import { CircularHeatmapComponent } from './component/circular-heatmap/circular-heatmap.component'; -import { MappingComponent } from './component/mapping/mapping.component'; -import { MatrixComponent } from './component/matrix/matrix.component'; +import { AboutUsComponent } from './pages/about-us/about-us.component'; +import { UserdayComponent } from './pages/userday/userday.component'; +import { CircularHeatmapComponent } from './pages/circular-heatmap/circular-heatmap.component'; +import { MappingComponent } from './pages/mapping/mapping.component'; +import { MatrixComponent } from './pages/matrix/matrix.component'; import { ActivityDescriptionComponent } from './component/activity-description/activity-description.component'; -import { UsageComponent } from './component/usage/usage.component'; -import { TeamsComponent } from './component/teams/teams.component'; +import { UsageComponent } from './pages/usage/usage.component'; +import { TeamsComponent } from './pages/teams/teams.component'; +import { RoadmapComponent } from './pages/roadmap/roadmap.component'; const routes: Routes = [ - { path: '', component: MatrixComponent }, + { path: '', component: CircularHeatmapComponent }, { path: 'circular-heatmap', component: CircularHeatmapComponent }, { path: 'matrix', component: MatrixComponent }, { path: 'activity-description', component: ActivityDescriptionComponent }, @@ -20,6 +21,7 @@ const routes: Routes = [ { path: 'teams', component: TeamsComponent }, { path: 'about', component: AboutUsComponent }, { path: 'userday', component: UserdayComponent }, + { path: 'roadmap', component: RoadmapComponent }, ]; @NgModule({ diff --git a/src/app/app.component.css b/src/app/app.component.css index 64dc7b499..58eed584a 100644 --- a/src/app/app.component.css +++ b/src/app/app.component.css @@ -1,3 +1,20 @@ +/* --- experimental branch --- */ +/* .mat-drawer-container { + background-color: #fffff4; +} */ +.tag-line { + display: flex; + flex-direction: column; + align-items: center; +} +.tag-title { + font-size: 1.2rem; +} +.tag-subtitle { + font-size: 0.7rem; +} + +/* --- experimental branch end --- */ .main-container { width: 100%; diff --git a/src/app/app.component.html b/src/app/app.component.html index a22b9b84d..60f935481 100644 --- a/src/app/app.component.html +++ b/src/app/app.component.html @@ -1,9 +1,5 @@ - + @@ -15,7 +11,13 @@ +
+
Alpha v4 edition
+
{{ subtitle }}
+
+
{ const HTMLElement: HTMLElement = fixture.nativeElement; var divTag = HTMLElement.querySelector('div')!; var aTag = divTag.querySelector('a')!; - //console.log(aTag); - expect(aTag.textContent).toEqual('Fork me on GitHub'); + expect(aTag.textContent).toContain('GitHub'); }); }); diff --git a/src/app/app.component.ts b/src/app/app.component.ts index b0004f02b..c48756c4d 100644 --- a/src/app/app.component.ts +++ b/src/app/app.component.ts @@ -1,5 +1,6 @@ import { Component, OnInit } from '@angular/core'; import { ThemeService } from './service/theme.service'; +import { environment } from '../environments/environment'; @Component({ selector: 'app-root', @@ -8,6 +9,7 @@ import { ThemeService } from './service/theme.service'; }) export class AppComponent implements OnInit { title = 'DSOMM'; + subtitle = ''; menuIsOpen: boolean = true; constructor(private themeService: ThemeService) { @@ -21,6 +23,18 @@ export class AppComponent implements OnInit { this.menuIsOpen = false; }, 600); } + + if (environment?.production === false) { + fetch( + 'https://api.github.com/repos/devsecopsmaturitymodel/DevSecOps-MaturityModel/branches/v4' + ).then(async response => { + let gitinfo: any = await response.json(); + let commitDate: string = gitinfo?.commit?.commit?.author?.date; + if (commitDate) { + this.subtitle = `Released: ${commitDate?.replace('T', ' ')}`; + } + }); + } } toggleMenu(): void { diff --git a/src/app/app.module.ts b/src/app/app.module.ts index ecc93f8b4..4609e4a70 100644 --- a/src/app/app.module.ts +++ b/src/app/app.module.ts @@ -6,28 +6,28 @@ import { AppRoutingModule } from './app-routing.module'; import { AppComponent } from './app.component'; import { BrowserAnimationsModule } from '@angular/platform-browser/animations'; import { MaterialModule } from './material/material.module'; +import { CircularHeatmapComponent } from './pages/circular-heatmap/circular-heatmap.component'; +import { MatrixComponent } from './pages/matrix/matrix.component'; +import { MappingComponent } from './pages/mapping/mapping.component'; +import { TeamsComponent } from './pages/teams/teams.component'; +import { UsageComponent } from './pages/usage/usage.component'; +import { UserdayComponent } from './pages/userday/userday.component'; +import { RoadmapComponent } from './pages/roadmap/roadmap.component'; +import { AboutUsComponent } from './pages/about-us/about-us.component'; import { LogoComponent } from './component/logo/logo.component'; -import { MatrixComponent } from './component/matrix/matrix.component'; import { SidenavButtonsComponent } from './component/sidenav-buttons/sidenav-buttons.component'; import { TopHeaderComponent } from './component/top-header/top-header.component'; import { ActivityDescriptionComponent } from './component/activity-description/activity-description.component'; -import { ymlService } from './service/yaml-parser/yaml-parser.service'; +import { LoaderService } from './service/loader/data-loader.service'; import { HttpClientModule } from '@angular/common/http'; -import { CircularHeatmapComponent } from './component/circular-heatmap/circular-heatmap.component'; -import { MappingComponent } from './component/mapping/mapping.component'; import { ReadmeToHtmlComponent } from './component/readme-to-html/readme-to-html.component'; -import { UsageComponent } from './component/usage/usage.component'; -import { UserdayComponent } from './component/userday/userday.component'; -import { AboutUsComponent } from './component/about-us/about-us.component'; import { DependencyGraphComponent } from './component/dependency-graph/dependency-graph.component'; -import { TeamsComponent } from './component/teams/teams.component'; import { ToStringValuePipe } from './pipe/to-string-value.pipe'; import { ModalMessageComponent } from './component/modal-message/modal-message.component'; -import { - MatDialogModule, - MAT_DIALOG_DATA, - MatDialogRef, -} from '@angular/material/dialog'; +import { ProgressSliderComponent } from './component/progress-slider/progress-slider.component'; +import { KpiComponent } from './component/kpi/kpi.component'; +import { MatDialogModule, MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog'; +import { TeamsGroupsEditorModule } from './component/teams-groups-editor/teams-groups-editor.module'; @NgModule({ declarations: [ @@ -46,7 +46,10 @@ import { TeamsComponent, ToStringValuePipe, UserdayComponent, + RoadmapComponent, ModalMessageComponent, + ProgressSliderComponent, + KpiComponent, ], imports: [ BrowserModule, @@ -56,9 +59,10 @@ import { MatDialogModule, ReactiveFormsModule, HttpClientModule, + TeamsGroupsEditorModule, ], providers: [ - ymlService, + LoaderService, ModalMessageComponent, { provide: MAT_DIALOG_DATA, useValue: {} }, { provide: MatDialogRef, useValue: { close: (dialogResult: any) => {} } }, diff --git a/src/app/component/about-us/about-us.component.html b/src/app/component/about-us/about-us.component.html deleted file mode 100644 index 9cb15dc91..000000000 --- a/src/app/component/about-us/about-us.component.html +++ /dev/null @@ -1,3 +0,0 @@ - - diff --git a/src/app/component/activity-description/activity-description.component.html b/src/app/component/activity-description/activity-description.component.html index 01955440e..10b41287a 100644 --- a/src/app/component/activity-description/activity-description.component.html +++ b/src/app/component/activity-description/activity-description.component.html @@ -1,16 +1,16 @@

- {{ currentActivity.dimension }} -> {{ currentActivity.subDimension }}: - {{ currentActivity.activityName }} + {{ currentActivity.category }} -> {{ currentActivity.dimension }}: + {{ currentActivity.name }}

- - + +
- + UUID @@ -19,42 +19,40 @@

- + Description -

+

- + Risk -

+

- + Measure -

+

- + Implementation Guide -

+

@@ -63,11 +61,9 @@

Difficulty of Implementation -

- Knowledge: {{ this.KnowledgeLabels[this.currentActivity.knowledge] }} -

-

Time: {{ this.GeneralLabels[this.currentActivity.time] }}

-

Resources: {{ this.GeneralLabels[this.currentActivity.resources] }}

+

Knowledge: {{ this.KnowledgeLabel }}

+

Time: {{ this.TimeLabel }}

+

Resources: {{ this.ResourceLabel }}

@@ -76,7 +72,7 @@

Usefulness -

{{ this.GeneralLabels[this.currentActivity.usefulness] }}

+

{{ this.UsefulnessLabel }}

@@ -99,13 +95,13 @@

- + Assessment -

+

@@ -116,8 +112,7 @@

- + @@ -172,7 +167,7 @@

{{ SAMMVersion }} -

diff --git a/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts b/src/app/pages/circular-heatmap/circular-heatmap.component.spec.ts similarity index 84% rename from src/app/component/circular-heatmap/circular-heatmap.component.spec.ts rename to src/app/pages/circular-heatmap/circular-heatmap.component.spec.ts index cb10751cb..e192d6ad1 100644 --- a/src/app/component/circular-heatmap/circular-heatmap.component.spec.ts +++ b/src/app/pages/circular-heatmap/circular-heatmap.component.spec.ts @@ -1,10 +1,10 @@ import { HttpClient, HttpHandler } from '@angular/common/http'; import { ComponentFixture, TestBed } from '@angular/core/testing'; -import { ymlService } from 'src/app/service/yaml-parser/yaml-parser.service'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; import { CircularHeatmapComponent } from './circular-heatmap.component'; import { RouterTestingModule } from '@angular/router/testing'; import { MatChip } from '@angular/material/chips'; -import { ModalMessageComponent } from '../modal-message/modal-message.component'; +import { ModalMessageComponent } from '../../component/modal-message/modal-message.component'; describe('CircularHeatmapComponent', () => { let component: CircularHeatmapComponent; @@ -15,7 +15,7 @@ describe('CircularHeatmapComponent', () => { declarations: [CircularHeatmapComponent, MatChip], imports: [RouterTestingModule], providers: [ - ymlService, + LoaderService, HttpClient, HttpHandler, { provide: ModalMessageComponent, useValue: {} }, diff --git a/src/app/pages/circular-heatmap/circular-heatmap.component.ts b/src/app/pages/circular-heatmap/circular-heatmap.component.ts new file mode 100644 index 000000000..1b94a89b7 --- /dev/null +++ b/src/app/pages/circular-heatmap/circular-heatmap.component.ts @@ -0,0 +1,660 @@ +import { Component, OnInit } from '@angular/core'; +import { equalArray } from 'src/app/util/util'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import * as d3 from 'd3'; +import { Router } from '@angular/router'; +import { MatChip } from '@angular/material/chips'; +import * as md from 'markdown-it'; +import { + ModalMessageComponent, + DialogInfo, +} from '../../component/modal-message/modal-message.component'; +import { Activity } from 'src/app/model/activity-store'; +import { Uuid, ProgressDefinition, TeamName, ProgressTitle, TeamGroups } from 'src/app/model/types'; +import { SectorService } from '../../service/sector-service'; +import { DataStore } from 'src/app/model/data-store'; +import { Sector } from 'src/app/model/sector'; +import { perfNow } from 'src/app/util/util'; +import { downloadYamlFile } from 'src/app/util/download'; +import { ThemeService } from '../../service/theme.service'; +@Component({ + selector: 'app-circular-heatmap', + templateUrl: './circular-heatmap.component.html', + styleUrls: ['./circular-heatmap.component.css'], +}) +export class CircularHeatmapComponent implements OnInit { + Routing: string = '/activity-description'; + markdown: md = md(); + maxLevelOfMaturity: number = -1; + showOverlay: boolean = false; + showFilters: boolean = true; + showActivityCard: any = null; + + showActivityDetails: Activity | null = null; + TimeLabel: string = ''; + KnowledgeLabel: string = ''; + ResourceLabel: string = ''; + UsefulnessLabel: string = ''; + + dataStore: DataStore | null = null; + + // New properties for refactored data + dimLabels: string[] = []; + filtersTeams: Record = {}; + filtersTeamGroups: Record = {}; + teamGroups: TeamGroups = {}; + hasTeamsFilter: boolean = false; + maxLevel: number = 0; + dimensionLabels: string[] = []; + progressStates: string[] = []; + allSectors: Sector[] = []; + selectedSector: Sector | null = null; + theme: string; + theme_colors!: Record; + + constructor( + private loader: LoaderService, + private sectorService: SectorService, + private themeService: ThemeService, + public modal: ModalMessageComponent + ) { + this.theme = this.themeService.getTheme(); + } + + ngOnInit(): void { + const savedTheme: string = this.themeService.getTheme() || 'light'; + this.themeService.setTheme(savedTheme); // sets .light-theme or .dark-theme + requestAnimationFrame(() => { + // Now the DOM has the correct class and CSS vars are live + console.log('Initial theme:', this.theme); + const css = getComputedStyle(document.body); + this.theme_colors = { + background: css.getPropertyValue('--heatmap-background').trim(), + filled: css.getPropertyValue('--heatmap-filled').trim(), + disabled: css.getPropertyValue('--heatmap-disabled').trim(), + cursor: css.getPropertyValue('--heatmap-cursor-hover').trim(), + stroke: css.getPropertyValue('--heatmap-stroke').trim(), + }; + + console.log(`${perfNow()}: Heat: Loading yamls...`); + // Ensure that Levels and Teams load before MaturityData + // using promises, since ngOnInit does not support async/await + this.loader + .load() + .then((dataStore: DataStore) => { + if (!dataStore.activityStore) { + throw Error('No activityStore available'); + } + if (!dataStore.progressStore) { + throw Error('No progressStore available'); + } + + this.filtersTeams = this.buildFilters(dataStore.meta?.teams as string[]); + // Insert key: 'All' with value: [], in the first position of the meta.teamGroups Record + const allTeamsGroupName: string = dataStore.getMetaString('allTeamsGroupName') || 'All'; + this.teamGroups = { [allTeamsGroupName]: [], ...(dataStore.meta?.teamGroups || {}) }; + this.filtersTeamGroups = this.buildFilters(Object.keys(this.teamGroups)); + this.filtersTeamGroups[allTeamsGroupName] = true; + + let progressDefinition: ProgressDefinition = dataStore.meta?.progressDefinition || {}; + this.sectorService.init( + dataStore.progressStore, + dataStore.meta?.teams || [], + dataStore?.progressStore?.getProgressData() || {}, + progressDefinition + ); + this.progressStates = this.sectorService.getProgressStates(); + + this.setYamlData(dataStore); + + // For now, just draw the sectors (no activities yet) + this.loadCircularHeatMap('#chart', this.allSectors, this.dimensionLabels, this.maxLevel); + console.log(`${perfNow()}: Page loaded: Circular Heatmap`); + }) + .catch(err => { + this.displayMessage(new DialogInfo(err.message, 'An error occurred')); + if (err.hasOwnProperty('stack')) { + console.warn(err); + } + }); + }); + // Reactively handle theme changes (if user toggles later) + this.themeService.theme$.subscribe((theme: string) => { + const css = getComputedStyle(document.body); + this.theme_colors = { + background: css.getPropertyValue('--heatmap-background').trim(), + filled: css.getPropertyValue('--heatmap-filled').trim(), + disabled: css.getPropertyValue('--heatmap-disabled').trim(), + cursor: css.getPropertyValue('--heatmap-cursor-hover').trim(), + stroke: css.getPropertyValue('--heatmap-stroke').trim(), + }; + + this.reColorHeatmap(); // repaint segments with new theme + }); + } + + displayMessage(dialogInfo: DialogInfo) { + this.modal.openDialog(dialogInfo); + } + + setYamlData(dataStore: DataStore) { + this.dataStore = dataStore; + this.maxLevel = dataStore.getMaxLevel(); + this.dimensionLabels = dataStore?.activityStore?.getAllDimensionNames() || []; + + // Prepare all sectors: one for each (dimension, level) pair + this.allSectors = []; + for (let level = 1; level <= this.maxLevel; level++) { + for (let dimName of this.dimensionLabels) { + const activities: Activity[] = + dataStore?.activityStore?.getActivities(dimName, level) || []; + this.allSectors.push({ + dimension: dimName, + level: level, + activities: activities, + }); + } + } + } + + buildFilters(names: string[]): Record { + let filters: Record = {}; + if (names) { + for (let name of names) { + filters[name] = false; + } + } + return filters; + } + + toggleTeamGroupFilter(chip: MatChip) { + let teamGroup = chip.value.trim(); + if (!chip.selected) { + chip.toggleSelected(); + console.log(`${perfNow()}: Heat: Chip flip Group '${teamGroup}: ${chip.selected}`); + + // Update the team selections based on the team group selection + let selectedTeams: TeamName[] = []; + Object.keys(this.filtersTeams).forEach(key => { + this.filtersTeams[key] = this.teamGroups[teamGroup]?.includes(key) || false; + if (this.filtersTeams[key]) { + selectedTeams.push(key); + } + this.sectorService.setVisibleTeams(selectedTeams); + }); + this.hasTeamsFilter = Object.values(this.filtersTeams).some(v => v === true); + this.reColorHeatmap(); + } else { + console.log(`${perfNow()}: Heat: Chip flip Group '${teamGroup}: already on`); + } + } + + toggleTeamFilter(chip: MatChip) { + chip.toggleSelected(); + this.filtersTeams[chip.value.trim()] = chip.selected; + console.log(`${perfNow()}: Heat: Chip flip Team '${chip.value}: ${chip.selected}`); + + this.hasTeamsFilter = Object.values(this.filtersTeams).some(v => v === true); + + let selectedTeams: string[] = Object.keys(this.filtersTeams).filter( + key => this.filtersTeams[key] + ); + this.sectorService.setVisibleTeams(selectedTeams); + + // Update team group filter, if one matches selection + Object.keys(this.teamGroups || {}).forEach(group => { + let match: boolean = equalArray(selectedTeams, this.teamGroups[group]); + this.filtersTeamGroups[group] = match; + }); + this.filtersTeamGroups = this.filtersTeamGroups; + + this.reColorHeatmap(); + } + + getTeamProgressState(activityUuid: string, teamName: string): string { + return this.dataStore?.progressStore?.getTeamActivityTitle(activityUuid, teamName) || ''; + } + + getBackedupTeamProgressState(activityUuid: string, teamName: string): string { + return this.dataStore?.progressStore?.getTeamActivityTitle(activityUuid, teamName, true) || ''; + } + + onProgressChange(activityUuid: Uuid, teamName: TeamName, newProgress: ProgressTitle) { + if (!this.dataStore || !this.dataStore.progressStore || !this.dataStore.activityStore) { + throw Error('Data store or progress store is not initialized.'); + } + + this.dataStore.progressStore.setTeamActivityProgressState(activityUuid, teamName, newProgress); + let activity: Activity = this.dataStore.activityStore.getActivityByUuid(activityUuid); + let index = + this.dimensionLabels.indexOf(activity.dimension) + + this.dimensionLabels.length * (activity.level - 1); + + this.recolorSector(index); + } + + getSectorProgress(sector: Sector): number { + return this.sectorService.getSectorProgress(sector.activities); + } + + loadCircularHeatMap( + dom_element_to_append_to: string, + dataset: any, + dimLabels: string[], + maxLevel: number + ) { + let _self = this; + var imageWidth = 1200; + var marginAll = 5; + var margin = { + top: marginAll, + right: marginAll, + bottom: marginAll, + left: marginAll, + }; + var bbWidth = imageWidth - Math.max(margin.left + margin.right, margin.top + margin.bottom) * 2; // bounding box + var segmentLabelHeight = bbWidth * 0.0155; // Fuzzy number, to match the longest label within one sector + var outerRadius = bbWidth / 2 - segmentLabelHeight; + var innerRadius = outerRadius / 5; + var segmentHeight = (outerRadius - innerRadius) / maxLevel; + + var curr: any; + var chart = this.circularHeatChart(dimLabels.length) + .margin(margin) + .innerRadius(innerRadius) + .segmentHeight(segmentHeight) + .domain([0, 1]) + //.range(['white', 'green']) + // .radialLabels(radial_labels) + .segmentLabels(dimLabels) + .segmentLabelHeight(segmentLabelHeight); + + chart.accessor(function (sector: Sector) { + return _self.getSectorProgress(sector); + }); + + var svg = d3 + .select(dom_element_to_append_to) + .selectAll('svg') + .data([dataset]) + .enter() + .append('svg') + .attr('width', '100%') + .attr('height', '100%') + .attr('viewBox', `0 0 ${imageWidth} ${imageWidth}`) + .append('g') + .attr( + 'transform', + `translate(${margin.left + segmentLabelHeight}, ${margin.top + segmentLabelHeight})` + ) + .call(chart); + + svg + .selectAll('path') + .on('click', function () { + var clickedId = d3.select(this).attr('id'); + var index = parseInt(clickedId.replace('index-', '')); + _self.selectedSector = dataset[index]; // Store selected sector for details + // Assign showActivityCard to the sector if it has activities, else null + if (_self.selectedSector?.activities?.length) { + _self.setSectorCursor(svg, '#selected', clickedId); + _self.showActivityCard = _self.selectedSector; + console.log(`${perfNow()}: Heat: Clicked sector: '${_self.selectedSector.dimension}' Level: ${_self.selectedSector.level}`); // eslint-disable-line + } else { + _self.showActivityCard = null; + _self.setSectorCursor(svg, '#selected', ''); + console.log(`${perfNow()}: Heat: Clicked disabled sector: '${_self?.selectedSector?.dimension}' Level: ${_self?.selectedSector?.level}`); // eslint-disable-line + } + }) + .on('mouseover', function () { + var hoveredId = d3.select(this).attr('id'); + var index = parseInt(hoveredId.replace('index-', '')); + if (dataset[index]?.activities?.length) { + _self.setSectorCursor(svg, '#hover', hoveredId); + } else { + _self.setSectorCursor(svg, '#hover', ''); + } + }) + .on('mouseout', function () { + _self.setSectorCursor(svg, '#hover', ''); + }); + } + + circularHeatChart(num_of_segments: number) { + var margin = { + top: 20, + right: 50, + bottom: 50, + left: 20, + }, + innerRadius = 20, + numSegments = num_of_segments, + segmentHeight = 20, + segmentLabelHeight = 12, + domain: any = null, + // range = ['white', 'red'], + range = [this.theme_colors['background'], this.theme_colors['filled']], + accessor = function (d: any) { + return d; + }; + var radialLabels = []; + var segmentLabels: any[] = []; + let _self: any = this; + function chart(selection: any) { + selection.each(function (this: any, data: any) { + var svg = d3.select(this); + + var offset = innerRadius + Math.ceil(data.length / numSegments) * segmentHeight; + var g = svg + .append('g') + .classed('circular-heat', true) + .attr( + 'transform', + 'translate(' + (margin.left + offset) + ',' + (margin.top + offset) + ')' + ); + + var autoDomain = false; + if (domain === null) { + domain = d3.extent(data, accessor); + autoDomain = true; + } + var color = d3.scaleLinear().domain(domain).range(range); + if (autoDomain) domain = null; + + g.selectAll('path') + .data(data) + .enter() + .append('path') + .attr('class', function (d: any) { + return 'segment-' + d.dimension.replace(/ /g, '-'); + }) + .attr('id', function (d: any, i: number) { + return 'index-' + i; + }) + .attr('d', d3.arc().innerRadius(ir).outerRadius(or).startAngle(sa).endAngle(ea)) + .attr('stroke', _self.theme_colors['stroke']) + .attr('fill', function (d: any) { + if (!d.activities || d.activities.length === 0) { + return _self.theme_colors['disabled']; + } + return color(accessor(d)); + }); + + // Unique id so that the text path defs are unique - is there a better way to do this? + // console.log(d3.selectAll(".circular-heat")["_groups"][0].length) + var id = 1; + + //Segment labels + var segmentLabelFontSize = (segmentLabelHeight * 2) / 3; + var segmentLabelOffset = (segmentLabelHeight * 1) / 3; + var r = + innerRadius + Math.ceil(data.length / numSegments) * segmentHeight + segmentLabelOffset; + var labels = svg + .append('g') + .classed('labels', true) + .classed('segment', true) + .attr( + 'transform', + 'translate(' + (margin.left + offset) + ',' + (margin.top + offset) + ')' + ); + + labels + .append('def') + .append('path') + .attr('id', 'segment-label-path-' + id) + .attr('d', 'm0 -' + r + ' a' + r + ' ' + r + ' 0 1 1 -1 0'); + + labels + .selectAll('text') + .data(segmentLabels) + .enter() + .append('text') + .append('textPath') + .attr('text-anchor', 'middle') + .attr('xlink:href', '#segment-label-path-' + id) + .style('font-size', segmentLabelFontSize) + .attr('startOffset', function (d, i) { + return ((i + 0.5) * 100) / numSegments + '%'; // shift ½ segment to center + }) + .text(function (d: any) { + return d; + }); + var cursors = svg + .append('g') + .classed('cursors', true) + .attr( + 'transform', + 'translate(' + (margin.left + offset) + ',' + (margin.top + offset) + ')' + ); + cursors + .append('path') + .attr('id', 'hover') + .attr('pointer-events', 'none') + .attr('stroke', 'green') + .attr('stroke-width', '7') + .attr('fill', 'transparent'); + cursors + .append('path') + .attr('id', 'selected') + .attr('pointer-events', 'none') + .attr('stroke', '#232323') + .attr('stroke-width', '4') + .attr('fill', 'transparent'); + }); + } + + /* Arc functions */ + var ir = function (d: any, i: number) { + return innerRadius + Math.floor(i / numSegments) * segmentHeight; + }; + var or = function (d: any, i: number) { + return innerRadius + segmentHeight + Math.floor(i / numSegments) * segmentHeight; + }; + var sa = function (d: any, i: number) { + return (i * 2 * Math.PI) / numSegments; + }; + var ea = function (d: any, i: number) { + return ((i + 1) * 2 * Math.PI) / numSegments; + }; + + /* Configuration getters/setters */ + chart.margin = function (_: any) { + margin = _; + return chart; + }; + + chart.innerRadius = function (_: any) { + innerRadius = _; + return chart; + }; + + chart.numSegments = function (_: any) { + numSegments = _; + return chart; + }; + + chart.segmentHeight = function (_: any) { + segmentHeight = _; + return chart; + }; + + chart.segmentLabelHeight = function (_: any) { + segmentLabelHeight = _; + return chart; + }; + + chart.domain = function (_: any) { + domain = _; + return chart; + }; + + chart.range = function (_: any) { + range = _; + return chart; + }; + + chart.radialLabels = function (_: any) { + if (_ == null) _ = []; + radialLabels = _; + return chart; + }; + + chart.segmentLabels = function (_: any) { + if (_ == null) _ = []; + segmentLabels = _; + return chart; + }; + + chart.accessor = function (_: any) { + if (!arguments.length) return accessor; + accessor = _; + return chart; + }; + + return chart; + } + + setSectorCursor(svg: any, cursor: string, targetId: string): void { + let element = svg.select(cursor); + let path: string = ''; + if (targetId) { + if (targetId[0] != '#') targetId = '#' + targetId; + path = svg.select(targetId).attr('d'); + } + + svg.select(cursor).attr('d', path); + } + + defineStringValues(dataToCheck: string, valueOfDataIfUndefined: string): string { + try { + return this.markdown.render(dataToCheck); + } catch { + return valueOfDataIfUndefined; + } + } + + onPanelOpened(activity: any) { + console.log(`${perfNow()}: Heat: Card Panel opened: '${activity.name}'`); + } + onPanelClosed(activity: any) { + console.log(`${perfNow()}: Heat: Card Panel closed: '${activity.name}'`); + } + + openActivityDetails(dimension: string, activityName: string) { + // Find the activity in the selected sector + console.log(`${perfNow()}: Heat: Open Overlay: '${activityName}'`); + if (!this.dataStore) { + console.error(`Data store is not initialized. Cannot open activity ${activityName}`); + return; + } + if (!this.showActivityCard || !this.showActivityCard.activities) { + this.showOverlay = true; + return; + } + const activity = this.showActivityCard.activities.find( + (a: any) => a.activityName === activityName || a.name === activityName + ); + if (!activity) { + this.showOverlay = true; + return; + } + // Prepare navigationExtras and details + /* eslint-disable */ + this.showActivityDetails = activity; + this.KnowledgeLabel = this.dataStore.getMetaString('knowledgeLabels', activity.difficultyOfImplementation.knowledge); + this.TimeLabel = this.dataStore.getMetaString('labels', activity.difficultyOfImplementation.time); + this.ResourceLabel = this.dataStore.getMetaString('labels', activity.difficultyOfImplementation.resources); + this.UsefulnessLabel = this.dataStore.getMetaString('labels', activity.usefulness); + this.showOverlay = true; + /* eslint-enable */ + } + + closeOverlay() { + this.showOverlay = false; + // console.log(`${perfNow()}: Heat: Close Overlay: '${this.old_activityDetails.name}'`); + } + + toggleFilters() { + this.showFilters = !this.showFilters; + } + + recolorSector(index: number) { + // console.log('recolorSector', index); + var colorSector = d3 + .scaleLinear() + .domain([0, 1]) + .range([this.theme_colors['background'], this.theme_colors['filled']]); + + let progressValue: number = this.sectorService.getSectorProgress( + this.allSectors[index].activities + ); + d3.select('#index-' + index).attr( + 'fill', + isNaN(progressValue) ? this.theme_colors['disabled'] : colorSector(progressValue) + ); + // console.log(`Recolor sector ${index} with progress ${(progressValue*100).toFixed(1)}%`); + } + + reColorHeatmap() { + for (let index = 0; index < this.allSectors.length; index++) { + this.recolorSector(index); + } + } + + exportTeamProgress() { + console.log(`${perfNow()}: Exporting teams and groups`); + + let yamlStr: string | null = this.dataStore?.progressStore?.asYamlString() || null; + if (!yamlStr) { + this.displayMessage(new DialogInfo('No team progress data available', 'Export Error')); + return; + } + + downloadYamlFile(yamlStr, this.dataStore?.meta?.teamProgressFile || 'team-progress.yaml'); + } + + async deleteLocalTeamsProgress() { + let buttonClicked: string = await this.displayDeleteLocalProgressDialog(); + + if (buttonClicked === 'Delete') { + this.dataStore?.progressStore?.deleteBrowserStoredTeamProgress(); + location.reload(); // Make sure all load routines are initialized + } + } + + displayDeleteLocalProgressDialog(): Promise { + return new Promise((resolve, reject) => { + let title: string = 'Delete local browser data'; + let message: string = + 'Do you want to delete all progress for each team?' + + '\n\nThis deletes all progress stored in your local browser, but does ' + + 'not change any progress stored in the yaml file on the server.'; + let buttons: string[] = ['Cancel', 'Delete']; + this.modal + .openDialog({ title, message, buttons, template: '' }) + .afterClosed() + .subscribe(data => { + resolve(data); + }); + }); + } + + getDatasetFromBrowserStorage(): any { + console.log(`${perfNow()}s: getDatasetFromBrowserStorage() ####`); + // @ts-ignore + if (this.old_ALL_CARD_DATA?.length && this.old_ALL_CARD_DATA[0]?.Task != null) { + console.log('Found outdated dataset, removing'); + localStorage.removeItem('dataset'); + } + + var content = localStorage.getItem('dataset'); + if (content != null) { + return JSON.parse(content); + } + return null; + } + + unsorted() { + return 0; + } +} diff --git a/src/app/pages/mapping/mapping.component.css b/src/app/pages/mapping/mapping.component.css new file mode 100644 index 000000000..470e715c4 --- /dev/null +++ b/src/app/pages/mapping/mapping.component.css @@ -0,0 +1,42 @@ +.content{ + width: 100%; +} + +.actions-row { + display: flex; + align-items: center; + gap: 16px; + margin: 24px 20px 0 20px; + flex-wrap: wrap; +} + +.search-box { + flex: 1 1 320px; + min-width: 220px; + max-width: 400px; +} + +.export-btn { + margin-left: auto; + min-width: 140px; +} + +.matrix-table{ + margin: 20px; +} + +.mat-cell, .mat-header-cell{ + padding: 20px 10px; + width: 12.5%; + max-width: 12.5%; + word-wrap: break-word; +} + +.mat-header-cell{ + font-size: 16px; + font-weight: bold; +} + +.hide{ + display: none; +} \ No newline at end of file diff --git a/src/app/pages/mapping/mapping.component.html b/src/app/pages/mapping/mapping.component.html new file mode 100644 index 000000000..453f9d61a --- /dev/null +++ b/src/app/pages/mapping/mapping.component.html @@ -0,0 +1,206 @@ +
+ +
+ + Search + + + {{ term }} + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Dimension{{ element.dimension }}Sub-Dimension{{ element.subDimension }}Activity{{ element.activityName }}SAMM + +
    +
  • {{ sammElement }}
    • +
+ + 		ISO 27001:2017 + +
    +
  • {{ ISOElement }}
    • +
+ + 		ISO 27001:2022 + +
    +
  • {{ ISO22Element }}
    • +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DimensionSub DimensionActivityLevelDescriptionRiskMeasureKnowledgeResourcesTimeUsefulnessAssessmentCommentsDepends OnSAMMISO 27001:2017ISO 27001:2022 + {{ team + ' - Status' }} +
+ + {{ item.dimension | slice : 0 : 32767 }} + + + + {{ item.subDimension | slice : 0 : 32767 }} + + + + {{ item.activityName | slice : 0 : 32767 }} + + + + {{ '' + item.level | slice : 0 : 32767 }} + + + + {{ item.description | slice : 0 : 32767 }} + + + + {{ item.risk | slice : 0 : 32767 }} + + + + {{ item.measure | slice : 0 : 32767 }} + + + + {{ item.knowledge | slice : 0 : 32767 }} + + + + {{ item.resources | slice : 0 : 32767 }} + + + + {{ item.time | slice : 0 : 32767 }} + + + + {{ item.usefulness | slice : 0 : 32767 }} + + + + {{ item.assessment | slice : 0 : 32767 }} + + + + {{ item.comments | slice : 0 : 32767 }} + + + + {{ item.dependsOn | slice : 0 : 32767 }} + + + + {{ item.samm2 | slice : 0 : 32767 }} + + + + {{ '\t' + item.ISO17 | slice : 0 : 32767 }} + + + + {{ item.ISO22 | slice : 0 : 32767 }} + + + + {{ dataStore.progressStore.getTeamActivityTitle(item.uuid, team) }} + +
+
diff --git a/src/app/component/mapping/mapping.component.spec.ts b/src/app/pages/mapping/mapping.component.spec.ts similarity index 71% rename from src/app/component/mapping/mapping.component.spec.ts rename to src/app/pages/mapping/mapping.component.spec.ts index f552a7cfe..9f809d263 100644 --- a/src/app/component/mapping/mapping.component.spec.ts +++ b/src/app/pages/mapping/mapping.component.spec.ts @@ -1,19 +1,24 @@ import { HttpClient, HttpHandler } from '@angular/common/http'; import { ComponentFixture, TestBed } from '@angular/core/testing'; import { MatAutocomplete } from '@angular/material/autocomplete'; -import { ymlService } from 'src/app/service/yaml-parser/yaml-parser.service'; import { MappingComponent } from './mapping.component'; +import { ModalMessageComponent } from 'src/app/component/modal-message/modal-message.component'; describe('MappingComponent', () => { let component: MappingComponent; let fixture: ComponentFixture; beforeEach(async () => { + /* eslint-disable */ await TestBed.configureTestingModule({ - providers: [ymlService, HttpClient, HttpHandler], + providers: [HttpClient, + HttpHandler, + { provide: ModalMessageComponent, useValue: {} }, + ], declarations: [MappingComponent, MatAutocomplete], }).compileComponents(); + /* eslint-enable */ }); beforeEach(() => { @@ -31,12 +36,4 @@ describe('MappingComponent', () => { const table = HTMLElement.querySelector('table')!; expect(table).toBeTruthy(); }); - - it('check for chip deletion', () => { - component.currentChip = ['row1', 'row2']; - component.removeChip('row1'); - const newChipRow = ['row2']; - fixture.detectChanges(); - expect(component.currentChip).toEqual(newChipRow); - }); }); diff --git a/src/app/pages/mapping/mapping.component.ts b/src/app/pages/mapping/mapping.component.ts new file mode 100644 index 000000000..c0556ac03 --- /dev/null +++ b/src/app/pages/mapping/mapping.component.ts @@ -0,0 +1,216 @@ +import { Component, OnInit, AfterViewInit, ViewChild, ElementRef } from '@angular/core'; +import { MatTableDataSource } from '@angular/material/table'; +import { MatSort } from '@angular/material/sort'; +import { COMMA, ENTER } from '@angular/cdk/keycodes'; +import { FormControl } from '@angular/forms'; +import * as XLSX from 'xlsx'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import { + DialogInfo, + ModalMessageComponent, +} from 'src/app/component/modal-message/modal-message.component'; +import { DataStore } from 'src/app/model/data-store'; +import { Uuid } from 'src/app/model/types'; +import { perfNow } from 'src/app/util/util'; + +const SEPARATOR = '\x1F'; // ASCII Unit Separator + +export interface MappingRow { + uuid: Uuid; + dimension: string; + subDimension: string; + activityName: string; + samm2: string[]; + ISO17: string[]; + ISO22: string[]; + description?: string; + risk?: string; + measure?: string; + knowledge?: string; + resources?: string; + time?: string; + usefulness?: string; + dependsOn?: string[]; + comments?: string; + assessment?: string; + level?: number; +} + +// Enum for sort mode +enum SortMode { + Activity = 'sortByActivity', + SAMM = 'sortBySAMM', + ISO17 = 'sortByISO', + ISO22 = 'sortByISO22', +} + +@Component({ + selector: 'app-mapping', + templateUrl: './mapping.component.html', + styleUrls: ['./mapping.component.css'], +}) +export class MappingComponent implements OnInit, AfterViewInit { + allMappings: MappingRow[] = []; + dataSource = new MatTableDataSource([]); + + //labels + knowledgeLabels: string[] = []; + generalLabels: string[] = []; + + allTeams: string[] = []; + displayedColumns: string[] = [ + 'dimension', + 'subDimension', + 'activityName', + 'samm2', + 'ISO17', + 'ISO22', + ]; + separatorKeysCodes: number[] = [ENTER, COMMA]; + + @ViewChild('chipInput') chipInput!: ElementRef; + @ViewChild(MatSort, { static: false }) sort!: MatSort; + + dataStore: DataStore = new DataStore(); + + searchTerms: string[] = []; + searchCtrl = new FormControl(''); + + constructor(private loader: LoaderService, public modal: ModalMessageComponent) {} + + ngOnInit(): void { + console.log(`${perfNow()}: Mapping: Loading yamls...`); + this.loader + .load() + .then((dataStore: DataStore) => { + this.setYamlData(dataStore); + this.dataSource.filterPredicate = this.filterFunction; + console.log(`${perfNow()}: Page loaded: Mapping`); + }) + .catch(err => { + this.displayMessage(new DialogInfo(err.message, 'An error occurred')); + if (err.hasOwnProperty('stack')) { + console.warn(err); + } + }); + } + + ngAfterViewInit() { + if (this.sort) { + this.dataSource.sort = this.sort; + this.dataSource.sortingDataAccessor = (item: MappingRow, property: string) => { + const value = (item as any)[property]; + if (Array.isArray(value)) { + return value.join(', '); + } + return value; + }; + } + } + + displayMessage(dialogInfo: DialogInfo) { + this.modal.openDialog(dialogInfo); + } + + setYamlData(dataStore: DataStore) { + this.dataStore = dataStore; + this.allTeams = dataStore.meta?.teams || []; + this.allMappings = this.transformDataStore(dataStore); + this.dataSource.data = this.allMappings; + } + + // Transform DataStore to MappingRow[] + transformDataStore(dataStore: DataStore): MappingRow[] { + if (!dataStore.activityStore) { + return []; + } + + return dataStore.activityStore.getAllActivities().map(activity => { + return { + uuid: activity.uuid || '', + dimension: activity.category || '', + subDimension: activity.dimension || '', + activityName: activity.name || '', + samm2: activity?.references?.samm2 || [], + ISO17: activity?.references?.iso27001_2017 || [], + ISO22: activity?.references?.iso27001_2022 || [], + description: activity.description.toString() || '', + risk: activity.risk.toString() || '', + measure: activity.measure.toString() || '', + knowledge: dataStore.getMetaString('knowledgeLabels', activity.knowledge), + resources: dataStore.getMetaString('labels', activity.resources), + time: dataStore.getMetaString('labels', activity.time), + usefulness: dataStore.getMetaString('labels', activity.usefulness), + dependsOn: activity.dependsOn || [], + comments: activity.comments.toString() || '', + assessment: activity.assessment.toString() || '', + level: activity.level || 0, + teamImplementation: activity.implementation || {}, + // teamsEvidence: activity.teamsEvidence || {}, + }; + }); + } + + exportToExcel() { + let element = document.getElementById('excel-table'); + const ws: XLSX.WorkSheet = XLSX.utils.table_to_sheet(element, { raw: true }); + const wb: XLSX.WorkBook = XLSX.utils.book_new(); + XLSX.utils.book_append_sheet(wb, ws, 'Sheet1'); + XLSX.writeFile(wb, 'DSOMM - Activities.xlsx'); + console.log(`${perfNow()}: Mapping: Exported to Excel`); + } + + //----------------------------- + // Filtering and sorting logic + //----------------------------- + applyFilter(event: KeyboardEvent) { + const input = event.target as HTMLInputElement; + const value = input.value.trim(); + if (event.key === 'Enter' && value) { + if (!this.searchTerms.includes(value.toLowerCase())) { + this.searchTerms.push(value.toLowerCase()); + this.updateFilter(); + } + input.value = ''; + this.searchCtrl.setValue(''); + } else if (!value && this.searchTerms.length === 0) { + this.dataSource.filter = ''; + } + } + + removeSearchTerm(term: string) { + this.searchTerms = this.searchTerms.filter(t => t !== term); + this.updateFilter(); + } + + clearFilter() { + console.log(`${perfNow()}: Mapping: Clear search filter`); + this.searchTerms = []; + this.dataSource.filter = ''; + this.searchCtrl.setValue(''); + } + + updateFilter() { + this.dataSource.filter = this.searchTerms.join(SEPARATOR); + console.log( + `${perfNow()}: Mapping: Search filter: ${this.dataSource.filter?.replace(SEPARATOR, ', ')}` + ); + } + + filterFunction(data: MappingRow, filter: string): boolean { + // Split filter into terms, require all terms to match + const terms = filter.split(SEPARATOR).filter(t => t); + const dataStr = [ + data.dimension, + data.subDimension, + data.activityName, + (data.samm2 || []).join(' '), + (data.ISO17 || []).join(' '), + (data.ISO22 || []).join(' '), + ] + .join(' ') + .toLowerCase(); + + return terms.every(term => dataStr.includes(term)); + } +} diff --git a/src/app/component/matrix/matrix.component.css b/src/app/pages/matrix/matrix.component.css similarity index 74% rename from src/app/component/matrix/matrix.component.css rename to src/app/pages/matrix/matrix.component.css index 7351c6508..4f8419aab 100644 --- a/src/app/component/matrix/matrix.component.css +++ b/src/app/pages/matrix/matrix.component.css @@ -83,3 +83,35 @@ border-radius: 16px; font: 500 14px / 20px Roboto, 'Helvetica Neue', sans-serif; } + +.mat-mdc-row .mat-mdc-cell { + border-bottom: 1px solid transparent; + border-top: 1px solid transparent; + cursor: pointer; +} + +.mat-mdc-row:hover .mat-mdc-cell { + border-color: currentColor; +} + +.mat-mdc-header-cell { + font-weight: bold; + font-size: medium; +} + +.matrix-table { + width: 100%; + margin-bottom: 20px; +} + +/* No data message styling */ +.mat-no-data-row { + height: 100px; +} + +.mat-no-data-row td { + text-align: center; + font-size: 16px; + color: rgba(0, 0, 0, 0.54); + padding: 24px; +} diff --git a/src/app/pages/matrix/matrix.component.html b/src/app/pages/matrix/matrix.component.html new file mode 100644 index 000000000..d9634ea9b --- /dev/null +++ b/src/app/pages/matrix/matrix.component.html @@ -0,0 +1,96 @@ +
+ + + Dimension Filter + + + {{ dim.key }} + + + + + Activity Tag Filter + + + {{ tag.key }} + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + + + + + + + +
Category + + {{ element.Category }} + Dimension + {{ element.Dimension }} + {{ level.value }} + +
+ No activities match the selected filters +
+
diff --git a/src/app/pages/matrix/matrix.component.spec.ts b/src/app/pages/matrix/matrix.component.spec.ts new file mode 100644 index 000000000..73392940e --- /dev/null +++ b/src/app/pages/matrix/matrix.component.spec.ts @@ -0,0 +1,103 @@ +import { HttpClientModule } from '@angular/common/http'; +import { HttpClientTestingModule } from '@angular/common/http/testing'; +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { RouterTestingModule } from '@angular/router/testing'; +import { MatrixComponent, MatrixRow } from './matrix.component'; +import { MatChip } from '@angular/material/chips'; +import { ModalMessageComponent } from '../../component/modal-message/modal-message.component'; +import { MatDialogRef } from '@angular/material/dialog'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import { MockLoaderService } from 'src/app/service/loader/mock-data-loader.service'; + +// Setup test data +const MOCK_DATA: any = { + 'Test Category': { + 'Test Dimension': { + 'Activity 1': { uuid: '1', level: 1, tags: ['tag1', 'tag2'] }, + 'Activity 2': { uuid: '2', level: 1, tags: ['tag2', 'tag3'] }, + }, + }, + 'Test Category 2': { + 'Test Dimension 2': { + 'Activity Other': { uuid: '3', level: 1, tags: [] }, + }, + }, +}; +let mockLoaderService: MockLoaderService; + +describe('MatrixComponent', () => { + let component: MatrixComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + mockLoaderService = new MockLoaderService(MOCK_DATA); + await TestBed.configureTestingModule({ + providers: [ + HttpClientTestingModule, + { provide: LoaderService, useValue: mockLoaderService }, + { provide: MatDialogRef, useValue: {} }, + { provide: ModalMessageComponent, useValue: {} }, + ], + imports: [RouterTestingModule, HttpClientModule], + declarations: [MatrixComponent, MatChip], + }).compileComponents(); + }); + + beforeEach(async () => { + fixture = TestBed.createComponent(MatrixComponent); + component = fixture.componentInstance; + + fixture.detectChanges(); + await fixture.whenStable(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + it('should build matrix data', () => { + // Verify the data was loaded + expect(component.MATRIX_DATA).toBeTruthy(); + expect(component.MATRIX_DATA.length).toBeGreaterThan(0); + expect(component.MATRIX_DATA[0].Category).toBe('Test Category'); + expect(component.MATRIX_DATA[0].Dimension).toBe('Test Dimension'); + expect(component.MATRIX_DATA[0].level1.length).toBe(2); + + // Verify filters were initialized + expect(Object.keys(component.filtersTag)).toContain('tag1'); + expect(Object.keys(component.filtersDim)).toContain('Test Dimension'); + }); + + it('should filter data when tag filter is selected', () => { + expect(component.dataSource.data.length).toBe(2); + expect(component.dataSource.data[0].level1.length).toBe(2); + + // Create a mock MatChip with proper state tracking + const mockChip = { + value: 'tag1', + selected: false, + toggleSelected: function () { + this.selected = !this.selected; + }, + } as MatChip; + + // Ensure initial state + mockChip.selected = false; + + // Toggle tag filter on + console.log('Turn chip filter on'); + component.toggleTagFilters(mockChip); + // console.log('data after "on":', component.dataSource.data); + expect(component.filtersTag['tag1']).toBeTrue(); + expect(component.dataSource.data.length).toBe(1); + expect(component.dataSource.data[0].level1.length).toBe(1); + + // Toggle tag filter off again + console.log('Turn chip filter off'); + component.toggleTagFilters(mockChip); + // console.log('data after "off": ', component.dataSource.data); + expect(component.filtersTag['tag1']).toBeFalse(); + expect(component.dataSource.data.length).toBe(2); + expect(component.dataSource.data[0].level1.length).toBe(2); + }); +}); diff --git a/src/app/pages/matrix/matrix.component.ts b/src/app/pages/matrix/matrix.component.ts new file mode 100644 index 000000000..bd5723859 --- /dev/null +++ b/src/app/pages/matrix/matrix.component.ts @@ -0,0 +1,262 @@ +import { Component, OnInit, ElementRef, ViewChild } from '@angular/core'; +import { FormControl } from '@angular/forms'; +import { MatTableDataSource } from '@angular/material/table'; +import { Router, NavigationExtras } from '@angular/router'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import { Activity, ActivityStore, Data } from 'src/app/model/activity-store'; +import { UntilDestroy } from '@ngneat/until-destroy'; +import { MatChip, MatChipList } from '@angular/material/chips'; +import { deepCopy } from 'src/app/util/util'; +import { + ModalMessageComponent, + DialogInfo, +} from '../../component/modal-message/modal-message.component'; +import { DataStore } from 'src/app/model/data-store'; +import { perfNow } from 'src/app/util/util'; + +export interface MatrixRow { + Category: string; + Dimension: string; + level1: Activity[]; + level2: Activity[]; + level3: Activity[]; + level4: Activity[]; + level5: Activity[]; +} +type LevelKey = keyof Pick; + +@UntilDestroy() +@Component({ + selector: 'app-matrix', + templateUrl: './matrix.component.html', + styleUrls: ['./matrix.component.css'], +}) +export class MatrixComponent implements OnInit { + Routing: string = '/activity-description'; + dataStore: DataStore = new DataStore(); + data: Data = {}; + levels: Partial> = {}; + filtersTag: Record = {}; + filtersDim: Record = {}; + columnNames: string[] = []; + allCategoryNames: string[] = []; + allDimensionNames: string[] = []; + MATRIX_DATA: MatrixRow[] = []; + dataSource: any = new MatTableDataSource(this.MATRIX_DATA); + + /* eslint-disable */ + constructor( + private loader: LoaderService, + private router: Router, + public modal: ModalMessageComponent + ) {} + /* eslint-enable */ + + reset() { + for (let dim in this.filtersDim) { + this.filtersDim[dim] = false; + } + for (let tag in this.filtersTag) { + this.filtersTag[tag] = false; + } + this.updateActivitiesBeingDisplayed(); + } + + ngOnInit(): void { + console.log(`${perfNow()}: Matrix: Loading yamls...`); + this.loader + .load() + .then((dataStore: DataStore) => { + this.setYamlData(dataStore); + console.log(`${perfNow()}: Page loaded: Matrix`); + }) + .catch(err => { + this.displayMessage(new DialogInfo(err.message, 'An error occurred')); + if (err.hasOwnProperty('stack')) { + console.warn(err); + } + }); + } + + displayMessage(dialogInfo: DialogInfo) { + this.modal.openDialog(dialogInfo); + } + + setYamlData(dataStore: DataStore) { + this.dataStore = dataStore; + if (!dataStore.activityStore) { + return; + } + // this.data = this.activities.getData(); + this.allCategoryNames = dataStore?.activityStore?.getAllCategoryNames() || []; + this.allDimensionNames = dataStore?.activityStore?.getAllDimensionNames() || []; + + this.MATRIX_DATA = this.buildMatrixData(dataStore.activityStore); + this.levels = this.buildLevels(dataStore.getLevels()); + this.filtersTag = this.buildFiltersForTag(dataStore.activityStore.getAllActivities()); // eslint-disable-line + this.filtersDim = this.buildFiltersForDim(this.MATRIX_DATA); + this.columnNames = ['Category', 'Dimension']; + this.columnNames.push(...Object.keys(this.levels)); + + this.dataSource.data = deepCopy(this.MATRIX_DATA); + } + + buildFiltersForTag(activities: Activity[]): Record { + let tags: Record = {}; + for (let activity of activities) { + if (activity.tags) { + for (let tag of activity.tags) { + tags[tag] = false; + } + } + } + return tags; + } + + buildFiltersForDim(matrixData: MatrixRow[]): Record { + let dimensions: Record = {}; + for (let item of matrixData) { + if (item.Dimension) { + dimensions[item.Dimension] = false; + } + } + return dimensions; + } + + buildLevels(levelNames: string[]): Record { + let levels: Record = {}; + let i: number = 1; + for (let name of levelNames) { + levels['level' + i] = name; + i++; + } + return levels; + } + + buildMatrixData(activityStore: ActivityStore): MatrixRow[] { + let matrixData: MatrixRow[] = []; + for (let dim of this.allDimensionNames) { + let matrixRow: Partial = {}; + for (let level = 1; level <= 5; level++) { + let activities: Activity[] = activityStore.getActivities(dim, level); + let levelLabel: LevelKey = `level${level}` as LevelKey; + matrixRow[levelLabel] = activities; + if (activities.length > 0 && !matrixRow.Category) { + matrixRow['Category'] = activities[0].category; + matrixRow['Dimension'] = activities[0].dimension; + } + } + matrixData.push(matrixRow as MatrixRow); + } + return matrixData; + } + + @ViewChild(MatChipList) + chipsControl = new FormControl(['chipsControl']); + chipList!: MatChipList; + + toggleTagFilters(chip: MatChip) { + chip.toggleSelected(); + this.filtersTag[chip.value] = chip.selected; + console.log(`${perfNow()}: Matrix: Chip flip Tag '${chip.value}: ${chip.selected}`); + this.updateActivitiesBeingDisplayed(); + } + + toggleDimensionFilters(chip: MatChip) { + chip.toggleSelected(); + this.filtersDim[chip.value] = chip.selected; + console.log(`${perfNow()}: Matrix: Chip flip Dim '${chip.value}: ${chip.selected}`); + this.updateActivitiesBeingDisplayed(); + } + + @ViewChild('rowInput') rowInput!: ElementRef; + @ViewChild('activityInput') activityInput!: ElementRef; + + updateActivitiesBeingDisplayed(): void { + let hasDimFilter = Object.values(this.filtersDim).some(v => v === true); + let hasTagFilter = Object.values(this.filtersTag).some(v => v === true); + + if (!hasTagFilter && !hasDimFilter) { + this.dataSource.data = this.MATRIX_DATA; + return; + } + + // Apply dimension filters + let itemsStage1: MatrixRow[] = []; + if (!hasDimFilter) { + itemsStage1 = this.MATRIX_DATA; + } else { + for (let srcItem of this.MATRIX_DATA) { + if (this.filtersDim[srcItem.Dimension]) { + itemsStage1.push(srcItem as MatrixRow); + } + } + } + + // Apply tag filters + let itemsStage2: MatrixRow[]; + if (!hasTagFilter) { + itemsStage2 = itemsStage1; + } else { + itemsStage2 = []; + for (let srcItem of itemsStage1) { + let hasContent = false; + + let trgItem: Partial = {}; + if (hasTagFilter) { + // Include activities withing each level, that match the tag filter + + // If tag filter is active, filter activities by tags + for (let lvl of Object.keys(this.levels) as LevelKey[]) { + let tmp: Activity[]; + tmp = srcItem[lvl].filter(activity => this.hasTag(activity)); + if (tmp.length > 0) { + trgItem[lvl] = tmp; + hasContent = true; + } + } + + // Only include the row if it has any activities after tag filtering + if (hasContent) { + // Copy metadata, since the element has remaining activities after filtering + trgItem.Category = srcItem.Category; + trgItem.Dimension = srcItem.Dimension; + + itemsStage2.push(trgItem as MatrixRow); + } + } + } + } + this.dataSource.data = itemsStage2; + } + + hasTag(activity: Activity): boolean { + if (activity.tags) { + for (let tagName of activity.tags) { + if (this.filtersTag[tagName]) return true; + } + } + return false; + } + + hasFilterValues(filter: Record): boolean { + let lastValue: boolean | null = null; + for (let value of Object.values(filter)) { + if (lastValue == null) { + lastValue = value; + } else { + if (value != lastValue) return true; + } + } + return false; + } + + // activity description routing + providing parameters + navigate(uuid: string) { + const navigationExtras: NavigationExtras = { + queryParams: { uuid: uuid }, + }; + console.log(`${perfNow()}: Matrix: Open Details: '${this.dataStore?.activityStore?.getActivityByUuid(uuid).name}'`); // eslint-disable-line + this.router.navigate([this.Routing], navigationExtras); + } +} diff --git a/src/app/component/usage/usage.component.css b/src/app/pages/roadmap/roadmap.component.css similarity index 100% rename from src/app/component/usage/usage.component.css rename to src/app/pages/roadmap/roadmap.component.css diff --git a/src/app/pages/roadmap/roadmap.component.html b/src/app/pages/roadmap/roadmap.component.html new file mode 100644 index 000000000..22a2e48c5 --- /dev/null +++ b/src/app/pages/roadmap/roadmap.component.html @@ -0,0 +1,4 @@ + +
+ +
diff --git a/src/app/pages/roadmap/roadmap.component.spec.ts b/src/app/pages/roadmap/roadmap.component.spec.ts new file mode 100644 index 000000000..49c6d6597 --- /dev/null +++ b/src/app/pages/roadmap/roadmap.component.spec.ts @@ -0,0 +1,24 @@ +import { ComponentFixture, TestBed } from '@angular/core/testing'; + +import { RoadmapComponent } from './roadmap.component'; + +describe('RoadmapComponent', () => { + let component: RoadmapComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + declarations: [RoadmapComponent], + }).compileComponents(); + }); + + beforeEach(() => { + fixture = TestBed.createComponent(RoadmapComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/app/pages/roadmap/roadmap.component.ts b/src/app/pages/roadmap/roadmap.component.ts new file mode 100644 index 000000000..c2966f9d3 --- /dev/null +++ b/src/app/pages/roadmap/roadmap.component.ts @@ -0,0 +1,15 @@ +import { Component, OnInit } from '@angular/core'; +import { perfNow } from 'src/app/util/util'; + +@Component({ + selector: 'app-roadmap', + templateUrl: './roadmap.component.html', + styleUrls: ['./roadmap.component.css'], +}) +export class RoadmapComponent implements OnInit { + constructor() {} + + ngOnInit() { + console.log(`${perfNow()}: Page loaded: Roadmap`); + } +} diff --git a/src/app/pages/teams/teams.component.css b/src/app/pages/teams/teams.component.css new file mode 100644 index 000000000..3ab498219 --- /dev/null +++ b/src/app/pages/teams/teams.component.css @@ -0,0 +1,104 @@ +h2 { + color: #000000; + text-align: center; + font-weight: 800; + font-size: 2em; + margin: 1em 1em 0.2em; +} +h3 { + color: #000000; + text-align: center; + font-weight: 500; + font-size: 1.2em; + font-style: italic; + margin: 1em 1em; +} + +.team-section { + padding: 0 1rem 1rem; +} + +.team-list { + width: 70%; + overflow-x: auto; + white-space: nowrap; + padding: 20px; + margin: 0 auto; +} + +.team-list ul { + list-style-type: none; + padding: 0; + margin: 0; + display: flex; /* Use flex layout */ +} + +.team-list ul li { + flex: 0 0 150px; /* Set a fixed width */ + height: 100px; + background-color: #66bb6a; + border-radius: 10px; + margin-right: 20px; + display: flex; /* Use flex layout */ + justify-content: center; /* Center horizontally */ + align-items: center; /* Center vertically */ + box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); + font-size: 16px; + font-weight: bold; +} + +.button-container { + display: flex; + flex-direction: row; + justify-content: flex-end; +} +.button-container button { + margin: 10px; +} + +.team-info { + display: flex; + flex-direction: column; +} + +.team-info .subheader { + text-align: center; + font-style: italic; +} + +.info-kpis { + display: flex; + flex-direction: row; + gap: 1rem; +} + + +.info-table{ + margin: 20px; +} + +.mat-cell, .mat-header-cell{ + padding: 20px 10px; + /* width: 12.5%; */ + /* max-width: 12.5%; */ + word-wrap: break-word; +} + +.mat-header-cell{ + font-size: 16px; + font-weight: bold; +} +td.mat-cell { + padding: 0 20px; +} + +.progress-col { + width: 120px; + min-width: 120px; + max-width: 120px; + text-align: center; +} + +.teams-table { + box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1); +} \ No newline at end of file diff --git a/src/app/pages/teams/teams.component.html b/src/app/pages/teams/teams.component.html new file mode 100644 index 000000000..5e6d5f219 --- /dev/null +++ b/src/app/pages/teams/teams.component.html @@ -0,0 +1,81 @@ +
+ +
+ + +
+ +
+

{{ infoTitle }}

+
+ {{ info[infoTitle]?.teams?.join(', ') }} +
+
+
+ + + +
+
+ +

Activities in progress

+ + + + + + + + + + + + + + + + + + + + + + + + +
Team + {{ element?.team }} + + Activity + + {{ element?.activity?.name }} + + {{ progressColumn }} + + + {{ dateStr(element?.progress?.[progressColumn]) }} + +
+ Currently no activities in progress for {{ info[infoTitle]?.teams?.join(', ') }} +
+
+
diff --git a/src/app/pages/teams/teams.component.spec.ts b/src/app/pages/teams/teams.component.spec.ts new file mode 100644 index 000000000..66e69baf1 --- /dev/null +++ b/src/app/pages/teams/teams.component.spec.ts @@ -0,0 +1,53 @@ +import { HttpClientModule, HttpHandler } from '@angular/common/http'; +import { HttpClientTestingModule } from '@angular/common/http/testing'; +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { RouterTestingModule } from '@angular/router/testing'; +import { MatChip } from '@angular/material/chips'; + +import { TeamsComponent } from './teams.component'; +import { ModalMessageComponent } from 'src/app/component/modal-message/modal-message.component'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import { MockLoaderService } from 'src/app/service/loader/mock-data-loader.service'; +import { isEmptyObj, perfNow } from 'src/app/util/util'; + +let mockLoaderService: MockLoaderService; + +describe('TeamsComponent', () => { + let component: TeamsComponent; + let fixture: ComponentFixture; + mockLoaderService = new MockLoaderService({}); + + beforeEach(async () => { + /* eslint-disable */ + // await mockLoaderService.load(); + await TestBed.configureTestingModule({ + providers: [ + HttpClientTestingModule, + { provide: ModalMessageComponent, useValue: {} }, + { provide: LoaderService, useValue: mockLoaderService }, + ], + imports: [RouterTestingModule, HttpClientModule], + declarations: [TeamsComponent, MatChip], + }).compileComponents(); + /* eslint-enable */ + }); + + beforeEach(async () => { + fixture = TestBed.createComponent(TeamsComponent); + component = fixture.componentInstance; + + fixture.detectChanges(); + await fixture.whenStable(); + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); + + it('check loading teams', () => { + expect(component.teams).toContain('Team A'); + expect(component.teams).toContain('Team B'); + expect(component.teamGroups?.['AB']).toBeDefined(); + }); +}); diff --git a/src/app/pages/teams/teams.component.ts b/src/app/pages/teams/teams.component.ts new file mode 100644 index 000000000..58fab3fb2 --- /dev/null +++ b/src/app/pages/teams/teams.component.ts @@ -0,0 +1,234 @@ +import { AfterViewInit, Component, OnInit, ViewChild } from '@angular/core'; +import { MatSort } from '@angular/material/sort'; +import { MatTableDataSource } from '@angular/material/table'; +import { sum } from 'd3'; +import { + DialogInfo, + ModalMessageComponent, +} from 'src/app/component/modal-message/modal-message.component'; +import { + SelectionChangedEvent, + TeamsGroupsChangedEvent, +} from 'src/app/component/teams-groups-editor/teams-groups-editor.component'; +import { Activity } from 'src/app/model/activity-store'; +import { DataStore } from 'src/app/model/data-store'; +import { TeamActivityProgress as progressStoreMapping } from 'src/app/model/progress-store'; +import { TeamGroups, TeamName, TeamNames, TeamProgress, Uuid } from 'src/app/model/types'; +import { LoaderService } from 'src/app/service/loader/data-loader.service'; +import { downloadYamlFile } from 'src/app/util/download'; +import { isEmptyObj, perfNow, dateStr, uniqueCount } from 'src/app/util/util'; + +@Component({ + selector: 'app-teams', + templateUrl: './teams.component.html', + styleUrls: ['./teams.component.css'], +}) +export class TeamsComponent implements OnInit, AfterViewInit { + dateStr = dateStr; + dataStore: DataStore = new DataStore(); + canEdit: boolean = false; + teams: TeamNames = []; + teamGroups: TeamGroups = {}; + + // Info panel showing KPIs for teams and groups + infoTitle: string = ''; + infoTeams: TeamNames = []; + info: Record = {}; + + dataSource: MatTableDataSource = new MatTableDataSource([]); // eslint-disable-line + allColumnNames: string[] = []; + progressColumnNames: string[] = []; + @ViewChild(MatSort, { static: false }) sort!: MatSort; + + constructor(private loader: LoaderService, public modal: ModalMessageComponent) {} + + ngOnInit(): void { + console.log(`${perfNow()}: Teams: Loading yamls...`); + + this.loader + .load() + .then((dataStore: DataStore) => { + this.setYamlData(dataStore); + console.log(`${perfNow()}: Page loaded: Teams`); + }) + .catch(err => { + this.displayMessage(new DialogInfo(err.message, 'An error occurred')); + if (err.hasOwnProperty('stack')) { + console.warn(err); + } + }); + } + + ngAfterViewInit() { + if (this.sort) { + this.dataSource.sort = this.sort; + this.dataSource.sortingDataAccessor = ( + item: TeamSummaryActivityProgress, + property: string + ) => { + if (property === 'Team') { + return item.team; + } + if (property === 'Activity') { + return item.activity?.name || ''; + } + // For progress columns, sort by date string or timestamp + if (this.progressColumnNames.includes(property)) { + // If your progress is a date string, you may want to convert to Date for proper sorting + const value = item.progress?.[property]; + return value ? new Date(value).getTime() : 0; + } + return ''; + }; + } + } + + setYamlData(dataStore: DataStore) { + this.dataStore = dataStore; + if (this.dataStore.meta) { + this.canEdit = this.dataStore.meta.allowChangeTeamNameInBrowser; + } + + this.teams = dataStore?.meta?.teams || []; + this.teamGroups = dataStore?.meta?.teamGroups || {}; + + this.progressColumnNames = this.dataStore?.progressStore?.getInProgressTitles() || []; + this.allColumnNames = ['Team', 'Activity', ...this.progressColumnNames]; + } + + displayMessage(dialogInfo: DialogInfo) { + this.modal.openDialog(dialogInfo); + } + + onSelectionChanged(event: SelectionChangedEvent) { + console.log(`${perfNow()}: Selection changed: ${JSON.stringify(event)}`); + if (event.selectedTeam) { + this.infoTitle = event.selectedTeam; + this.infoTeams = [event.selectedTeam]; + } else if (event.selectedGroup) { + this.infoTitle = event.selectedGroup; + this.infoTeams = this.teamGroups[event.selectedGroup] || []; + } + + if (!this.info[this.infoTitle]) { + this.info[this.infoTitle] = this.makeTeamSummary(this.infoTitle, this.infoTeams); + } + this.dataSource.data = this?.info[this.infoTitle]?.activitiesInProgress || []; + } + + onTeamsChanged(event: TeamsGroupsChangedEvent) { + console.log(`${perfNow()}: Saving teams: ${JSON.stringify(event.teams)}`); + console.log(`${perfNow()}: Saving groups: ${JSON.stringify(event.teamGroups)}`); + this.dataStore?.meta?.updateTeamsAndGroups(event.teams, event.teamGroups); + if (!isEmptyObj(event.teamsRenamed)) { + for (let oldName in event.teamsRenamed) { + this.dataStore?.progressStore?.renameTeam(oldName, event.teamsRenamed[oldName]); + delete this.info?.[oldName]; + delete this.info?.[event.teamsRenamed[oldName]]; + } + this.dataStore?.progressStore?.saveToLocalStorage(); + } + this.info[this.infoTitle] = this.makeTeamSummary(this.infoTitle, this.infoTeams); + this.dataSource.data = this?.info[this.infoTitle]?.activitiesInProgress || []; + + this.setYamlData(this.dataStore); + } + + onExportTeamGroups() { + console.log(`${perfNow()}: Exporting teams and groups`); + const yamlStr: string | undefined = this?.dataStore?.meta?.asStorableYamlString(); + + if (!yamlStr) { + this.displayMessage( + new DialogInfo('No team and groups names stored locally in the browser', 'Export Error') + ); + return; + } + + downloadYamlFile(yamlStr, 'teams.yaml'); + } + + async onResetTeamGroups() { + let buttonClicked: string = await this.displayDeleteBrowserTeamsDialog(); + + if (buttonClicked === 'Delete') { + this.dataStore?.meta?.deleteLocalStorage(); + location.reload(); // Make sure all load routines are initialized + } + } + + displayDeleteBrowserTeamsDialog(): Promise { + return new Promise((resolve, reject) => { + let title: string = 'Delete local browser data'; + let message: string = + 'Do you want to reset all team and group names?' + + '\n\nThis will revert the names to the names stored in the yaml file on the server.'; + let buttons: string[] = ['Cancel', 'Delete']; + this.modal + .openDialog({ title, message, buttons, template: '' }) + .afterClosed() + .subscribe(data => { + resolve(data); + }); + }); + } + + makeTeamSummary(name: string, teams: TeamNames): TeamSummary { + /* eslint-disable */ + let activitiesStarted: progressStoreMapping[] = this.dataStore?.progressStore?.getActivitiesStartedForTeams(teams) || []; + let activitiesInProgress: progressStoreMapping[] = this.dataStore?.progressStore?.getActivitiesInProgressForTeams(teams) || []; + let activitiesCompleted: progressStoreMapping[] = this.dataStore?.progressStore?.getActivitiesCompletedForTeams(teams) || []; + + let summary: TeamSummary = { + teams, + lastUpdated: null, + activitiesCompleted: [], + activitiesInProgress: [], + uniqueActivitiesCompletedCount: 0, + uniqueActivitiesInProgressCount: 0, + }; + var _self = this; + summary.activitiesCompleted = activitiesCompleted.map(activityProgress => _self.mapIncludeActivity(activityProgress)); + summary.activitiesInProgress = activitiesInProgress.map(activityProgress => _self.mapIncludeActivity(activityProgress)); + summary.uniqueActivitiesCompletedCount = uniqueCount(summary.activitiesCompleted.map(item => item.activity.uuid)); + summary.uniqueActivitiesInProgressCount = uniqueCount(summary.activitiesInProgress.map(item => item.activity.uuid)); + if (activitiesStarted.length == 0) { + summary.lastUpdated = null; + } else { + summary.lastUpdated = activitiesStarted.map(activityProgress => _self.mapIncludeActivity(activityProgress).lastUpdated) + // .map(activityProgress => activityProgress.lastUpdated) + .reduce((max, current) => (current > max ? current : max)); + } + /* eslint-enable */ + + return summary; + } + + mapIncludeActivity(input: progressStoreMapping): TeamSummaryActivityProgress { + return { + team: input.team, + activity: + this.dataStore?.activityStore?.getActivityByUuid(input.activityUuid) || ({} as Activity), + progress: input.progress, + lastUpdated: Object.values(input.progress).reduce((max, current) => + current > max ? current : max + ), + }; + } +} + +export interface TeamSummary { + teams: TeamNames; + lastUpdated: Date | null; + activitiesCompleted: TeamSummaryActivityProgress[]; + activitiesInProgress: TeamSummaryActivityProgress[]; + uniqueActivitiesCompletedCount: number; + uniqueActivitiesInProgressCount: number; +} + +export interface TeamSummaryActivityProgress { + team: TeamName; + activity: Activity; + progress: TeamProgress; + lastUpdated: Date; +} diff --git a/src/app/pages/usage/usage.component.css b/src/app/pages/usage/usage.component.css new file mode 100644 index 000000000..e69de29bb diff --git a/src/app/pages/usage/usage.component.html b/src/app/pages/usage/usage.component.html new file mode 100644 index 000000000..5997bd80a --- /dev/null +++ b/src/app/pages/usage/usage.component.html @@ -0,0 +1,3 @@ + + + diff --git a/src/app/component/usage/usage.component.spec.ts b/src/app/pages/usage/usage.component.spec.ts similarity index 100% rename from src/app/component/usage/usage.component.spec.ts rename to src/app/pages/usage/usage.component.spec.ts diff --git a/src/app/component/usage/usage.component.ts b/src/app/pages/usage/usage.component.ts similarity index 86% rename from src/app/component/usage/usage.component.ts rename to src/app/pages/usage/usage.component.ts index 661f80812..d19ca9905 100644 --- a/src/app/component/usage/usage.component.ts +++ b/src/app/pages/usage/usage.component.ts @@ -1,5 +1,6 @@ import { Component, OnInit } from '@angular/core'; import { ActivatedRoute } from '@angular/router'; +import { perfNow } from 'src/app/util/util'; @Component({ selector: 'app-usage', @@ -20,5 +21,6 @@ export class UsageComponent implements OnInit { } }); } + console.log(`${perfNow()}: Page loaded: Usage`); } } diff --git a/src/app/component/userday/userday.component.css b/src/app/pages/userday/userday.component.css similarity index 100% rename from src/app/component/userday/userday.component.css rename to src/app/pages/userday/userday.component.css diff --git a/src/app/pages/userday/userday.component.html b/src/app/pages/userday/userday.component.html new file mode 100644 index 000000000..023c260ab --- /dev/null +++ b/src/app/pages/userday/userday.component.html @@ -0,0 +1,12 @@ + +
+ + +
+

Archive

+ Previous DSOMM User Day pages with the full list of talks, downloadable material, and YouTube + links. +
+ + +
diff --git a/src/app/component/userday/userday.component.spec.ts b/src/app/pages/userday/userday.component.spec.ts similarity index 100% rename from src/app/component/userday/userday.component.spec.ts rename to src/app/pages/userday/userday.component.spec.ts diff --git a/src/app/pages/userday/userday.component.ts b/src/app/pages/userday/userday.component.ts new file mode 100644 index 000000000..5b4f001a4 --- /dev/null +++ b/src/app/pages/userday/userday.component.ts @@ -0,0 +1,15 @@ +import { Component, OnInit } from '@angular/core'; +import { perfNow } from 'src/app/util/util'; + +@Component({ + selector: 'app-userday', + templateUrl: './userday.component.html', + styleUrls: ['./userday.component.css'], +}) +export class UserdayComponent implements OnInit { + constructor() {} + + ngOnInit() { + console.log(`${perfNow()}: Page loaded: Userday`); + } +} diff --git a/src/app/service/loader/data-loader.service.spec.ts b/src/app/service/loader/data-loader.service.spec.ts new file mode 100644 index 000000000..85fdd36c1 --- /dev/null +++ b/src/app/service/loader/data-loader.service.spec.ts @@ -0,0 +1,18 @@ +import { TestBed } from '@angular/core/testing'; +import { LoaderService } from './data-loader.service'; +import { YamlService } from '../yaml-loader/yaml-loader.service'; + +describe('DataLoaderService', () => { + let service: LoaderService; + + beforeEach(() => { + TestBed.configureTestingModule({ + providers: [LoaderService, YamlService], + }); + service = TestBed.inject(LoaderService); + }); + + it('should be created', () => { + expect(service).toBeTruthy(); + }); +}); diff --git a/src/app/service/loader/data-loader.service.ts b/src/app/service/loader/data-loader.service.ts new file mode 100644 index 000000000..02620f614 --- /dev/null +++ b/src/app/service/loader/data-loader.service.ts @@ -0,0 +1,176 @@ +import { Injectable } from '@angular/core'; +import { perfNow } from 'src/app/util/util'; +import { YamlService } from '../yaml-loader/yaml-loader.service'; +import { MetaStore } from 'src/app/model/meta-store'; +import { TeamProgressFile, Uuid } from 'src/app/model/types'; +import { Activity, ActivityStore, Data } from 'src/app/model/activity-store'; +import { DataStore } from 'src/app/model/data-store'; + +export class DataValidationError extends Error { + constructor(message: string) { + super(message); + } +} + +@Injectable({ providedIn: 'root' }) +export class LoaderService { + private META_FILE: string = '/assets/YAML/meta.yaml'; + private debug: boolean = false; + private dataStore: DataStore | null = null; + + constructor(private yamlService: YamlService) {} + + public async load(): Promise { + // Return cached data if available + if (this.dataStore) { + return this.dataStore; + } + + // Initialize a new DataStore and load data + this.dataStore = new DataStore(); + try { + if (this.debug) console.log(`${perfNow()}: ----- Load Service Begin -----`); + + // Load meta.yaml first + this.dataStore.meta = await this.loadMeta(); + this.dataStore.progressStore?.init(this.dataStore.meta.progressDefinition); + + // Then load activities + this.dataStore.addActivities(await this.loadActivities(this.dataStore.meta)); + + // Add a activity name lookup table for the progress store + let activityMap: Record = {}; + this.dataStore.activityStore?.getAllActivities().forEach((activity: Activity) => { + activityMap[activity.uuid] = activity.name; + }); + this.dataStore.progressStore?.setActivityMap(activityMap); + + // Load the progress for each team's activities + let teamProgress: TeamProgressFile = await this.loadTeamProgress(this.dataStore.meta); + this.dataStore.addProgressData(teamProgress.progress); + let browserProgress: TeamProgressFile | null = + this.dataStore.progressStore?.retrieveStoredTeamProgress() || null; + if (browserProgress != null) { + this.dataStore.addProgressData(browserProgress?.progress); + } + + // TODO: Load old yaml format (generated.yaml) + // TODO: Load old yaml format (localStorage) + console.log(`${perfNow()}: YAML: All YAML files loaded`); + + return this.dataStore; + } catch (err) { + throw err; + } + } + + private async loadMeta(): Promise { + if (this.debug) { + console.log(`${perfNow()}: Load meta: ${this.META_FILE}`); + } + const meta: MetaStore = new MetaStore(); + meta.init(await this.yamlService.loadYaml(this.META_FILE)); + meta.loadStoredMeta(); + + if (!meta.activityFiles) { + throw Error("The meta.yaml has no 'activityFiles' to be loaded"); + } + if (!meta.teamProgressFile) { + throw Error("The meta.yaml has no 'teamProgressFile' to be loaded"); + } + + // Recalculate percentages of progress definition + this.recalculateProgressDefinition(meta); + + // Remove group teams not specified + Object.keys(meta.teamGroups).forEach(group => { + meta.teamGroups[group] = meta.teamGroups[group].filter(team => meta.teams.includes(team)); + }); + + // Resolve paths relative to meta.yaml + meta.teamProgressFile = this.yamlService.makeFullPath(meta.teamProgressFile, this.META_FILE); + meta.activityFiles = meta.activityFiles.map(file => + this.yamlService.makeFullPath(file, this.META_FILE) + ); + + if (this.debug) console.log(`${perfNow()} s: meta loaded`); + console.log(`${perfNow()} s: Loaded teams: ${meta.teams.join(', ')}`); + return meta; + } + + private async loadTeamProgress(meta: MetaStore): Promise { + if (this.debug) console.log(`${perfNow()}s: Loading Team Progress: ${meta.teamProgressFile}`); + return this.yamlService.loadYamlUnresolvedRefs(meta.teamProgressFile); + } + + private async loadActivities(meta: MetaStore): Promise { + const activityStore = new ActivityStore(); + const errors: string[] = []; + let usingHistoricYamlFile = false; + + for (let filename of meta.activityFiles) { + if (this.debug) console.log(`${perfNow()}s: Loading activity file: ${filename}`); + const data: Data = await this.loadActivityFile(filename); + + usingHistoricYamlFile ||= filename.endsWith('generated/generated.yaml'); + activityStore.addActivityFile(data, errors); + + // Handle validation errors + if (errors.length > 0) { + errors.forEach(error => console.error(error)); + + // Only throw for non-generated files (backwards compatibility) + if (!usingHistoricYamlFile) { + throw new DataValidationError( + 'Data validation error after loading: ' + + filename + + '\n\n----\n\n' + + errors.join('\n\n') + ); + } + } + } + return activityStore; + } + + private async loadActivityFile(filename: string): Promise { + return this.yamlService.loadYamlUnresolvedRefs(filename); + } + + public forceReload(): Promise { + return this.load(); + } + + private recalculateProgressDefinition(meta: MetaStore) { + let errors: string[] = []; + + for (let state of Object.keys(meta.progressDefinition)) { + let value: string | number = meta.progressDefinition[state]; + if (typeof value === 'string') { + let isPercentage: boolean = (value as string).includes('%'); + value = parseFloat(value); + if (isPercentage) { + value = value / 100; + } + if (value > 1 || value < 0) { + errors.push(`The progress value for '${state}' must be between 0% and 100%`); + continue; + } + } + meta.progressDefinition[state] = value; + } + + if (Math.min(...Object.values(meta.progressDefinition)) !== 0) { + errors.push(`The meta.progressDefinition must specify a name for 0% completed`); + } + if (Math.max(...Object.values(meta.progressDefinition)) !== 1) { + errors.push(`The meta.progressDefinition must specify a name for 100% completed`); + } + + if (errors.length > 0) { + throw new DataValidationError( + 'Data validation error for progress definition in meta.yaml: \n\n- ' + errors.join('\n- ') + ); + } + } +} diff --git a/src/app/service/loader/mock-data-loader.service.ts b/src/app/service/loader/mock-data-loader.service.ts new file mode 100644 index 000000000..cddcd9905 --- /dev/null +++ b/src/app/service/loader/mock-data-loader.service.ts @@ -0,0 +1,39 @@ +// Create mock LoaderService +import { F } from '@angular/cdk/keycodes'; +import { Data } from 'src/app/model/activity-store'; +import { DataStore } from 'src/app/model/data-store'; +import { MetaStore } from 'src/app/model/meta-store'; + +/* eslint-disable */ +const FALLBACK_MOCK_META: any = { + progressDefinition: { + NOT_STARTED: 0.00, + IN_PROGRESS: 0.40, + COMPLETED: 1.00 + }, + teams: ['Team A', 'Team B', 'Team C'], + teamGroups: { AB: ['Team A', 'Team B'] }, +} +/* eslint-enable */ + +export class MockLoaderService { + private MOCK_DATA: Data; + private dataStore: DataStore | null = null; + + constructor(MOCK_DATA: Data) { + this.MOCK_DATA = MOCK_DATA; + } + + load() { + console.log('MOCK loader service'); + let errors: string[] = []; + this.dataStore = new DataStore(); + this.dataStore?.meta?.addMeta(FALLBACK_MOCK_META); + this.dataStore?.activityStore?.addActivityFile(this.MOCK_DATA, errors); + console.log('MOCK dataStore:', this.dataStore); + return Promise.resolve(this.dataStore); + } + getLevels() { + return ['Level 1', 'Level 2', 'Level 3', 'Level 4', 'Level 5']; + } +} diff --git a/src/app/service/sector-service.ts b/src/app/service/sector-service.ts new file mode 100644 index 000000000..129334b87 --- /dev/null +++ b/src/app/service/sector-service.ts @@ -0,0 +1,67 @@ +import { Injectable } from '@angular/core'; +import { Activity } from 'src/app/model/activity-store'; +import { Progress, ProgressDefinition, TeamNames, Uuid } from 'src/app/model/types'; +import { ProgressStore } from 'src/app/model/progress-store'; + +/** + * The SectorViewController class is responsible for providing activity progress for all + * activities sharing the same dimension and level, which we call a "sector". It takes + * into account the current teams that are visible in the UI for the calculation. + */ + +@Injectable({ providedIn: 'root' }) +export class SectorService { + private progressStore!: ProgressStore; + private allTeams: TeamNames = []; + private visibleTeams: TeamNames = []; + private allProgress: Progress | null = null; + private progressStates: string[] = []; + private progressValues: ProgressDefinition | null = null; + + init( + progressStore: ProgressStore, + teamnames: TeamNames, + progress: Progress, + progressStates: ProgressDefinition + ) { + this.progressStore = progressStore; + this.allTeams = teamnames; + this.allProgress = progress; + this.progressValues = progressStates; + this.progressStates = Object.keys(progressStates).sort( + (a, b) => progressStates[b] - progressStates[a] + ); + } + + setVisibleTeams(teams: TeamNames) { + this.visibleTeams = teams; + } + + getProgressStates() { + return this.progressStates.slice().reverse(); + } + + getSectorProgress(activities: Activity[]): number { + if (!activities || activities.length === 0) { + return NaN; + } + const teams = this.visibleTeams.length === 0 ? this.allTeams : this.visibleTeams; + let progress = 0; + for (const activity of activities) { + progress += this.getActivityProgress(activity.uuid, teams); + } + return activities.length ? progress / activities.length : 0; + } + + private getActivityProgress( + uuid: Uuid, + teams: TeamNames, + getBackupValue: boolean = false + ): number { + let progress = 0; + for (const team of teams) { + progress += this.progressStore?.getTeamActivityProgressValue(uuid, team, getBackupValue) || 0; + } + return teams.length ? progress / teams.length : 0; + } +} diff --git a/src/app/service/yaml-loader/yaml-loader.service.spec.ts b/src/app/service/yaml-loader/yaml-loader.service.spec.ts new file mode 100644 index 000000000..9c0dde423 --- /dev/null +++ b/src/app/service/yaml-loader/yaml-loader.service.spec.ts @@ -0,0 +1,56 @@ +import { TestBed } from '@angular/core/testing'; +import { YamlService } from './yaml-loader.service'; +import { parse } from 'yamljs'; + +describe('YamlLoaderService', () => { + let service: YamlService; + const mockMetaYaml = ` + name: Me + references: + teams: "CORRECT" + teams: + $ref: "#/references/teams" + external_ref: + $ref: "external.yaml#/external/ref2" +`; + + const mockReferencedYaml = ` + external: + ref1: "REF 1" + ref2: "REF 2" +`; + + beforeEach(() => { + TestBed.configureTestingModule({ + providers: [YamlService], + }); + service = TestBed.inject(YamlService); + (service as any)._refs['/external.yaml'] = parse(mockReferencedYaml); + }); + + it('should be created', () => { + expect(service).toBeTruthy(); + }); + + it('should substitute $ref in meta', async () => { + let yaml = parse(mockMetaYaml); + + await service.substituteYamlRefs(yaml, '.'); + + expect(yaml.name).toBe('Me'); + expect(yaml.teams).toBe('CORRECT'); + expect(yaml.external_ref).toBe('REF 2'); + }); + + it('should throw error when $ref not found', async () => { + let yaml = parse(mockMetaYaml); + yaml['not-found'] = { $ref: '#/references/not-there' }; + console.log('PRE:\n' + JSON.stringify(yaml)); + try { + await service.substituteYamlRefs(yaml, '.'); + expect('substituteYamlRefs()').toThrowError('Should not get here'); + } catch (error) { + expect(String(error)).toEqual("Error: Cannot find 'references/not-there' in yaml file"); + } + }); +}); diff --git a/src/app/service/yaml-loader/yaml-loader.service.ts b/src/app/service/yaml-loader/yaml-loader.service.ts new file mode 100644 index 000000000..c5f34cda9 --- /dev/null +++ b/src/app/service/yaml-loader/yaml-loader.service.ts @@ -0,0 +1,192 @@ +import { K, Y } from '@angular/cdk/keycodes'; +import { Injectable } from '@angular/core'; +import { parse as yamlParse, stringify as yamlStringify } from 'yaml'; +// import YAML from 'yaml'; +import { perfNow } from 'src/app/util/util'; + +@Injectable({ providedIn: 'root' }) +export class YamlService { + private _refs: Record; + + constructor() { + this._refs = {}; + } + + public parse(yamlStr: string): any { + return yamlParse(yamlStr, { schema: 'yaml-1.1' }); + } + + public stringify(yamlObj: any): string { + return yamlStringify(yamlObj); + } + + /** + * Loads and swaps any '$ref' references. + * + * @param url The relative path to the yaml file + * @returns The yaml object + */ + public async loadYaml(url: string): Promise { + let yaml = await this.loadYamlUnresolvedRefs(url); + + const referenceUrl = url; + await this.substituteYamlRefs(yaml, referenceUrl); + + return yaml; + } + + /** + * Load a yaml file, and convert it to an object + */ + public async loadYamlUnresolvedRefs(url: string): Promise { + const timeStart: Date = new Date(); + console.debug(`${perfNow()}: YAML: Fetching ${url}`); + const response: Response = await fetch(url); + + if (!response.ok) { + throw new Error(`Failed to fetch the '${url}' YAML file: ${response.statusText}`); + } + const yamlText: string = await response.text(); + const timeFetched: Date = new Date(); + console.debug(`${perfNow()}: YAML: Retrieved ${url}`); + let yaml: any = this.parse(yamlText); + const timeParsed: Date = new Date(); + console.debug(`${perfNow()}: YAML: Parsed ${url}`); + console.log(`${perfNow()}: YAML: Fetched ${url}: load: ${timeFetched.getTime() - timeStart.getTime()} ms, parse: ${timeParsed.getTime() - timeFetched.getTime()} ms`); // eslint-disable-line + return yaml; + } + + /** + * Substitute any '$ref' with the content of the reference + * + * @param yaml The original yaml object + * @param referencePath Path to the yaml file, used as reference when loading other yaml + * @returns the yaml object with + */ + async substituteYamlRefs(yaml: any, referencePath: string): Promise { + const orgYaml = yaml; + return await this._substituteYamlRefs(yaml, orgYaml, referencePath, 1); + } + + /** + * Recursively find '$ref' and substitute the reference with the referenced value + * + * @param yaml The recursive object + * @param orgYaml The original yaml object is used when a reference points to the current yaml file + * @param referencePath Path to the current + * @param lvl Level of recursion + * @returns the current level of the object + */ + async _substituteYamlRefs( + yaml: any, + orgYaml: any, + referencePath: string, + lvl: number + ): Promise { + if (lvl > 1000) throw Error('Recursive loop gone awry'); + + // Loop though all key in object + for (let key in yaml) { + let indent = ' '.repeat(lvl); + // console.log(lvl, indent, key, typeof yaml[key], yaml[key] instanceof Object); + + // Recursively enter any child objects + if (yaml[key] instanceof Object) { + yaml[key] = await this._substituteYamlRefs(yaml[key], orgYaml, referencePath, lvl + 1); + } + + if (key == '$ref') { + // Substitute the reference with the referenced value + yaml = await this.fetchRef(yaml[key], orgYaml, referencePath); + } + } + return yaml; + } + + /** + * Parse the ref, load and return the referenced object + */ + async fetchRef(ref: string, orgYaml: any, referencePath: string): Promise { + let [file, yPath] = this.parseRef(ref); + + let refObj: any = file ? await this.loadRef(file, referencePath) : orgYaml; + + try { + return yPath ? this.getYPath(refObj, yPath) : refObj; + } catch (err: any) { + let filename = file ? file : 'yaml file'; + console.log(`${err.message} in ${filename}`); + throw Error(`${err.message} in ${filename}`); + } + } + + /** + * Load a reference, and cache it to avoid reloading the same file multiple times. + */ + async loadRef(filepath: string, referencePath: string): Promise { + const absUrl = this.makeFullPath(filepath, referencePath); + + if (absUrl && !this._refs[absUrl]) { + this._refs[absUrl] = await this.loadYaml(absUrl); + } + + return this._refs[absUrl]; + } + + /** + * Return the value of the yPath + * + * (yPath has similar but simpler syntax to xPath, but refers to yaml files) + */ + getYPath(obj: any, yPath: string): any { + if (yPath.startsWith('/')) yPath = yPath.substring(1); + let path: string[] = yPath.split('/'); + + try { + return this._getYPath(obj, path, 1); + } catch { + throw Error(`Cannot find '${yPath}'`); + } + } + + _getYPath(obj: any, path: string[], lvl: number = 1): any { + if (lvl > 1000) throw Error('Too deeply nested object'); + + if (path.length == 0) { + return obj; + } else if (obj.hasOwnProperty(path[0])) { + // Recursively go down one level + const subObj: any = obj[path[0]]; + const subPath: string[] = path.slice(1); + return this._getYPath(subObj, subPath, lvl + 1); + } else { + console.log(`Cound not find the key '${path[0]}'`); + throw Error(`Cound not find the key '${path[0]}'`); + } + } + + /** + * @returns splits the reference into two: file and yPath + */ + parseRef(ref: string): string[] { + let [file, yPath] = ref.split('#'); + + file = file ? file.trim() : ''; + yPath = yPath ? yPath.trim() : ''; + + return [file, yPath]; + } + + public makeFullPath(relativePath: string, relativeTo: string) { + let fullPath = new URL(relativePath, 'https://example.org/.' + relativeTo).pathname; + + // Make sure the new path does not escape its cage + let i = relativeTo.lastIndexOf('/'); + if (fullPath.substring(0, i) == relativeTo.substring(0, i)) { + return fullPath; + } else { + console.log(`The ${relativePath} is not allowed outside its root folder`); + return ''; + } + } +} diff --git a/src/app/service/yaml-parser/yaml-parser.service.spec.ts b/src/app/service/yaml-parser/yaml-parser.service.spec.ts deleted file mode 100644 index 699603e38..000000000 --- a/src/app/service/yaml-parser/yaml-parser.service.spec.ts +++ /dev/null @@ -1,22 +0,0 @@ -import { HttpClient, HttpHandler } from '@angular/common/http'; -import { - HttpClientTestingModule, - HttpTestingController, -} from '@angular/common/http/testing'; -import { TestBed } from '@angular/core/testing'; -import { ymlService } from './yaml-parser.service'; - -describe('YAMLParserService', () => { - let service: ymlService; - - beforeEach(() => { - TestBed.configureTestingModule({ - providers: [HttpClientTestingModule, ymlService, HttpClient, HttpHandler], - }); - service = TestBed.inject(ymlService); - }); - - it('should be created', () => { - expect(service).toBeTruthy(); - }); -}); diff --git a/src/app/service/yaml-parser/yaml-parser.service.ts b/src/app/service/yaml-parser/yaml-parser.service.ts deleted file mode 100644 index 873945015..000000000 --- a/src/app/service/yaml-parser/yaml-parser.service.ts +++ /dev/null @@ -1,28 +0,0 @@ -import { Injectable } from '@angular/core'; -import { HttpClient } from '@angular/common/http'; -import { map } from 'rxjs/operators'; -import { Observable } from 'rxjs'; -import { parse } from 'yamljs'; - -@Injectable() -export class ymlService { - private URI: string = './'; - - constructor(private http: HttpClient) {} - - setURI(URI_used: string) { - this.URI = URI_used; - } - - public getJson(): Observable { - return this.http - .get(this.URI, { - observe: 'body', - responseType: 'text', // This one here tells HttpClient to parse it as text, not as JSON - }) - .pipe( - // Map Yaml to JavaScript Object - map(yamlString => parse(yamlString)) - ); - } -} diff --git a/src/app/util/ArrayHash.ts b/src/app/util/ArrayHash.ts new file mode 100644 index 000000000..e714cddce --- /dev/null +++ b/src/app/util/ArrayHash.ts @@ -0,0 +1,6 @@ +export function appendHashElement(hash: Record, key: string, element: any): void { + if (!hash.hasOwnProperty(key)) { + hash[key] = []; + } + hash[key].push(element); +} diff --git a/src/app/util/download.ts b/src/app/util/download.ts new file mode 100644 index 000000000..0e4cf335e --- /dev/null +++ b/src/app/util/download.ts @@ -0,0 +1,10 @@ +export function downloadYamlFile(data: string, filename: string): void { + const blob = new Blob([data], { type: 'application/yaml' }); + const url = URL.createObjectURL(blob); + const a = document.createElement('a'); + a.href = url; + a.download = filename.split('/').pop() || 'download.yaml'; + a.click(); + a.remove(); + URL.revokeObjectURL(url); +} diff --git a/src/app/util/util.ts b/src/app/util/util.ts new file mode 100644 index 000000000..8418c18af --- /dev/null +++ b/src/app/util/util.ts @@ -0,0 +1,47 @@ +export function perfNow(): string { + return (performance.now() / 1000).toFixed(3); +} + +export function isEmptyObj(obj: any): boolean { + for (let tmp in obj) { + return false; + } + return true; +} + +export function hasData(obj: any): boolean { + for (let tmp in obj) { + return true; + } + return false; +} + +export function deepCopy(obj: any): any { + return JSON.parse(JSON.stringify(obj)); +} + +export function renameArrayElement(array: any[], oldName: string, newName: string): any[] { + return array.map(item => (item === oldName ? newName : item)); +} + +export function equalArray(a: any[] | undefined | null, b: any[] | undefined | null): boolean { + if (!a && !b) return true; + if (!a || !b) return false; + if (a.length !== b.length) return false; + + return a.every((v, i) => v === b[i]); +} + +export function uniqueCount(array: any[]): number { + const set: Set = new Set(array); + return set.size; +} + +export function dateStr(date: Date | null | undefined): string { + if (!date) return ''; + return date.toLocaleDateString(navigator.language, { + year: 'numeric', + month: '2-digit', + day: '2-digit', + }); +} diff --git a/src/assets/Markdown Files/ABOUT-FORK.md b/src/assets/Markdown Files/ABOUT-FORK.md new file mode 100644 index 000000000..93c841fbe --- /dev/null +++ b/src/assets/Markdown Files/ABOUT-FORK.md @@ -0,0 +1,9 @@ +# About this fork +This fork [vbakke/DevSecOps-MaturityModel](https://github.com/vbakke/DevSecOps-MaturityModel), is a development branch for the official [devsecopsmaturitymodel/DevSecOps-MaturityModel](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel). + +It's purpose is to be a test bed for features not yet included in the official branch. + +## Scalable circular map + - Responsive UI *[2024-10-20]* + - Responsive UI *[2024-10-20]* + - Circle is no longer fixed size *[2024-10-20]* diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md index 3e83c0f45..dae0484c9 100644 --- a/src/assets/Markdown Files/README.md +++ b/src/assets/Markdown Files/README.md @@ -63,7 +63,7 @@ In case you would like to perform a DevSecOps assessment, the following tools ar 3. Browse to (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation) -For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. +For customized DSOMM, take a look at https://github.com/wurstbrot/DevSecOps-MaturityModel-custom. In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. You can download your current state from the circular heatmap and mount it again via @@ -72,6 +72,11 @@ wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-Maturity docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest ``` +. +wget https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/main/src/assets/YAML/generated/generated.yaml # or go to /circular-heatmap and download edited yaml (bottom right) +docker run -p 8080:8080 -v /tmp/generated.yaml:/srv/assets/YAML/generated/generated.yaml wurstbrot/dsomm:latest +``` + . This approach also allows teams to perform self assessment with changes tracked in a repository. diff --git a/src/assets/Markdown Files/TODO-v4.md b/src/assets/Markdown Files/TODO-v4.md new file mode 100644 index 000000000..b9a0301dc --- /dev/null +++ b/src/assets/Markdown Files/TODO-v4.md @@ -0,0 +1,124 @@ +## Doing +- Teams: Bug: Reads progress heading from activityStore, not metaStore +- Team KPI: One KPI per ProgressDefinition +- KPI: Add Sub-title + +## Next +### Dependency graph +- Dependency graph: Add to CircularHeatmap Details +- Matrix: Dependency graph: Render in center of page + +## ToDo +- Heatmap: Fix: asterisk marks when modified + - ViewController needs to know about changes vs temp storage +- Heatmap: Bug: Clicking on grey sector leaves cursor on that sector +### Settings +- Settings: Make settings page +- Settings: Date format (don't rely just on browser language) +- Settings: Display mode dark/light +- Settings: Progress Definition: Make customizable stage: Name, Percentage, Definition (free text) +- Settings: Set Max maturity level (1-5) +- Settings: Terms: Allow custom names for: team, group, etc +### Matrix +- Matrix: Add a Close/Back button +### Teams +- Teams: Allow user to re-order teams and groups +- Teams: Bug: Editing name, pushes the item last +- Teams: Allow editing dates for progress stages +### Heatmap: +- Heatmap: Bug: Selecting a team group does not always get deselected when flipping teams +- Heatmap: meta-yaml: If progress definition is missing, default to 0% + 100% +- Heatmap: Revert to boolean checkboxes, if definition is only 0% and 100% +- Heatmap: Read previous local storage for backwards compatibility +- Heatmap: Input Teams' evidence +- Heatmap: Increase subdimension to be two lines (and increase size) +### Documentation +- Doc: Update `Usage` +- Doc: Update `README.md` +- Doc: Update `About Us` +- Doc: Update `Development.md` +- Doc: Update `INSTALL.md` +### Misc +- Move all getMetaString into MetaStore() +- Add fallbacks for getMetaString in MetaStore() +- Fix dependsOn that is uuid (e.g. 83057028-0b77-4d2e-8135-40969768ae88) +- Refactor: Labels for knowledge, time, resources, and usefulness (used by both Matrix and Heatmap) +- Move META_FILE constant from data service to main app +- Check if loader can be optimized by load in yaml in parallel +- Proxy Grafana Faro data: https://grafana.com/docs/grafana-cloud/monitor-applications/frontend-observability/instrument/data-proxy/ + +## Align DSOMM-data and DSOMM +- DSOMM-data: Sort linear list of activities (sorted by dim, level) +- DSOMM-data: Update generated filename and data structure to adhere to this new DSOMM standard +- DSOMM-data: Include version number in generated yaml file +- DSOMM: Read latest "generated.yaml" from DSOMM-data's github repo, to check for any new releases + +# Later +- App: Search activities, across title description etc +- Export to Excel. Move from Mapping, to just progress data +- Filter: Bug: SPACE key does not trigger +- Heatmap, Card: Add Complete-symbol per activity +- Heatmap: Update url on open details + read querystring on open +- Heatmap: Add 'Not applicable' as a status for a team +- Matrix: Brushup layout of details page +- Matrix: Remember filters, when moving back from details +- Matrix: Dependency graph: Make it clickable +- Matrix: Go through tags: remove, add and rename +- Misc: What is the activities.yaml comment field for? Should it be displayed to the user? +- Teams: View active initiatives for a team (>0% and <100%) +- Teams: View timeline for a team +- Meta.yaml: Allow admins to customize the terms 'Team' and 'Group' (e.g. to 'App' and 'Portfolio') + +# Done +- Merge in Dark Mode [PR #381](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/pull/381) +- Linting +- Using Angular's built-in DomSanitizer to check [innerHTML] +- Heatmap: Run Markdown on yaml text +- Matrix: Fix markdown rendering +- Teams: Display some core info about the selected team/group +- Teams: Export teams and groups names as yaml +- Teams: Store teams names in localstorage +- Teams: Move team group 'All' from data-loader-service to Heatmap load +- Teams: Refactor to adhere to new data structure. +- Mapping: Add search filters +- Mapping: Refactor to adhere to new data structure. +- Mapping: Refactor ExportToExcel +- Mapping: ExportToExcel: Fix duplicate lines in export (The column ISO 27001:2017 is not flattened) +- Misc: Move page "components" to ./pages/ +- Heatmap: Fix references not showing in activity details +- Heatmap: Remove old obsolete code +- Heatmap: Export TeamProgress yaml +- Heatmap: Fix: Update map when teams are selected +- Store TeamProgress to localStorage +- Load localStorage TeamProgress +- Load TeamProgress yaml +- Refactor Circular Heatmap +- Add validation for meta.yaml, progress step: include 0% and 100% +- Load YAML progress +- Navigate to activity-description without site reload +- Refactor Dependecy graph +- Refactor activity-description +- Make sure loader.load() only runs once (even with navigations) +- Handle parsing errors, like Circular Heatmap +- Filter: Make filters for subdimensions +- Matrix: toggle chips +- Matrix: updateActivitesBeingDisplayed() +- Matrix: dataloader.getLevels(): Return only max levels from yaml +- Matrix: ngInit +- Make unittest for activity-store +- Make unittest for ignore +- Handle 'ignore:true' on Category and Dimension +- Handle 'ignore:true' on Activity +- Handle 'ignore:true' on dimension or categories +- Load multiple Activity files +- Better error msg handling in load Yaml +- Make 1st draft of Activity model +- Load Activities +- Substitute refs +- Load Yaml + +For details and dates, please see the [GitHub log](https://github.com/vbakke/DevSecOps-MaturityModel/commits/experiment/). + +## User tracking +The Experimental edition, and the Experimental edition only, uses Grafana Frontend to log the console log to catch bugs, especially from mobile devices. + diff --git a/src/assets/YAML/custom/custom-activities.yaml b/src/assets/YAML/custom/custom-activities.yaml new file mode 100644 index 000000000..38c003b3a --- /dev/null +++ b/src/assets/YAML/custom/custom-activities.yaml @@ -0,0 +1,35 @@ + +Build and Deployment: + Build: + New CUSTOM activity: + uuid: f6f7737f-1111-1111-1111-09bf59f29b5b + description: + This is a NEW activity + level: 1 + Defined build process: + uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b + description: + Custom description for: same name and same uuid + # Pinning of artifacts: + # ignore: true + # uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6111111 + # description: + # This activity has a two different UUIDs + + +New test category: + Custom tests: + NEW SBOM in NEW dimension: + uuid: 2858ac12-0179-40d9-9acf-1b839c030473 + level: 2 + Custom tests2: + High coverage of security related module and integration tests: + uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a + level: 1 + description: + This is the description for *High coverage* + Security integration tests for important components: + uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + level: 2 + description: + This is the description for *Security integration tests* diff --git a/src/assets/YAML/custom/custom-experimental.yaml b/src/assets/YAML/custom/custom-experimental.yaml new file mode 100644 index 000000000..ba1d4295b --- /dev/null +++ b/src/assets/YAML/custom/custom-experimental.yaml @@ -0,0 +1,17 @@ + +Build and Deployment: + Build: + Experimental Build Activity: + uuid: 2858ac12-0179-40d9-9acf-1b839c030474 + level: 1 + description: | + Test activity - Testing Custom Activity Yaml, that ignores the whole pre-existing Build Dimension. + But add a new (this) separate custom activity. + Deployment: + Defined deployment process: + description: | + Custom description, defined in `custom-experimental.yaml`. + But other properties remain as-is. +Test and Verification: + Test-Intensity: + ignore: true diff --git a/src/assets/YAML/custom/test-ignore-activities.yaml b/src/assets/YAML/custom/test-ignore-activities.yaml new file mode 100644 index 000000000..7bdf02fd8 --- /dev/null +++ b/src/assets/YAML/custom/test-ignore-activities.yaml @@ -0,0 +1,22 @@ +Ignore this DEFAULT Category: + ignore: true +Build and Deployment: + Ignore this DEFAULT dimension: + ignore: true + Ignore this dimension: + ignore: true + Build: + Defined build process: + comments: A nice litte comment at the end + Signing of code: + level: 5 + uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 + ignore: true + Deployment: + This activity should have been ignored, too: + ignore: true + Ignore this Activity: + ignore: true + Ignore: + uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a + ignore: true diff --git a/src/assets/YAML/default/activities-short.yaml b/src/assets/YAML/default/activities-short.yaml new file mode 100644 index 000000000..2004483d0 --- /dev/null +++ b/src/assets/YAML/default/activities-short.yaml @@ -0,0 +1,87 @@ +# version: 1.52.1 +#meta: +# version: 1.52.1 +Ignore this Category by default: + ignore: true + +Ignore this DEFAULT Category: + Should be ignored: + This activity should have been ignored: + uuid: 99999999-1111-9999-9999-999999999999 + level: 5 + description: + This is specified in the default activity file, but is removed by the ignore yaml + +Build and Deployment: + Ignore this dimension by default: + ignore: true + Ignore this DEFAULT dimension: + This activity should also have been ignored: + uuid: 99999999-2222-9999-9999-999999999999 + level: 5 + description: + This is specified in the default activity file, but is removed by the ignore yaml + Build: + This activity should have been ignored, too: + uuid: 99999999-333-9999-9999-999999999999 + level: 5 + description: + This is specified in the default activity file, but is removed by the ignore yaml + Building and testing of artifacts in virtual environments: + uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 + description: >- + A DSOMM description. + tags: + - ci-cd + - build + level: 3 + Defined build process: + uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b + description: > + DSOMM description without UUID + level: 1 + tags: + - ci-cd + - build + Pinning of artifacts: + uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + description: + DSOMM description, where uuid is different + level: 2 + tags: + - ci-cd + SBOM of components: + uuid: 2858ac12-0179-40d9-9acf-1b839c030473 + level: 3 + Signing of code: + level: 5 + uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 + # ignore: true + Deployment: + Ignore this Activity: + ignore: true + Defined deployment process: + uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a + level: 1 + description: + tags: + - ci-cd + Handover of confidential parameters: + uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a + level: 2 +Test and Verification: + Application tests: + High coverage of security related module and integration tests: + uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a + level: 5 + description: + This is the description for *High coverage* + tags: + - test + Security integration tests for important components: + uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + level: 3 + description: + This is the description for *Security integration tests* + tags: + - test diff --git a/src/assets/YAML/default/activities.yaml b/src/assets/YAML/default/activities.yaml new file mode 100644 index 000000000..5f0ac8637 --- /dev/null +++ b/src/assets/YAML/default/activities.yaml @@ -0,0 +1,8597 @@ +--- +#meta: + #source: https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/refs/heads/main/src/assets/YAML/generated/generated.yaml + #version: 1.15.2 + +Build and Deployment: + Build: + Building and testing of artifacts in virtual environments: + uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 + description: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + risk: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + measure: Each step during within the build and testing phase is performed in + a separate virtual environments, which is destroyed afterward. + meta: + implementationGuide: Depending on your environment, usage of virtual machines + or container technology is a good way. After the build, the filesystem should + not be used again in other builds. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 2 + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 + name: Container technologies and orchestration like Docker, Kubernetes + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ + references: + samm2: + - I-SB-2-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined build process: + uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b + description: "A *build process* include more than just compiling your source + code. \nIt also includes steps such as managing (third party) dependencies, + \nenvironment configuration, running the unit tests, etc. \n\nA *defined build + process* has automated these steps to ensure consistency.\n\nThis can be done + with a Jenkinsfile, Maven, or similar tools.\n" + risk: Performing builds without a defined process is error prone; for example, + as a result of incorrect security related configuration. + measure: A well defined build process lowers the possibility of errors during + the build process. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 2 + usefulness: 4 + level: 1 + assessment: | + - Show your build pipeline and an exemplary job (build + test). + - Show that every team member has access. + - Show that failed jobs are fixed. + + Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 + name: Container technologies and orchestration like Docker, Kubernetes + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 12.1.1 + - 14.2.2 + iso27001-2022: + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Pinning of artifacts: + uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + risk: Unauthorized manipulation of artifacts might be difficult to spot. For + example, this may result in using images with malicious code. Also, intended + major changes, which are automatically used in an image used might break the + functionality. + measure: Pinning of artifacts ensure that changes are performed only when intended. + comment: The usage of pinning requires a good processes for patching. Therefore, + choose this activity wisely. + meta: + implementationGuide: Pinning artifacts in Dockerfile refers to the practice + of using specific, immutable versions of base images and dependencies in + your build process. Instead of using the latest tag for your base image, + select a specific version or digest. For example, replace FROM node:latest, + to FROM node@sha256:abcdef12. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 9368abfb-cf37-477a-9091-a804d2de9148 + name: Signing of containers + tags: + - signing + - container + - build + url: https://www.aquasec.com/cloud-native-academy/supply-chain-security/container-image-signing/ + description: Container technology automatically creates a hash for images, + which can be used. + - uuid: 638b3691-c9a5-45fa-9ba8-e40aeea32766 + name: Immutable images + tags: + - deployment + - container + - build + url: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification + description: Immutable images are an other way, e.g. by using a registry, + which doesn't allow overriding of images. + dependsOn: + - Defined build process + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + SBOM of components: + uuid: 2858ac12-0179-40d9-9acf-1b839c030473 + description: |- + SBOM (Software Bill of Materials) is a document that lists all components, libraries, + and dependencies used in a software application or container image. Creating an SBOM + during the build process can help ensure transparency, security, and license compliance + for your application. + risk: In case a vulnerability of severity high or critical exists, it needs + to be known where an artifacts with that vulnerability is deployed with which + dependencies. + measure: Creation of an SBOM of components (e.g. application and container image + content) during build. + dependsOn: + - Defined build process + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Signing of artifacts: + uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222 + risk: Execution or usage of malicious code or data e.g. via executables, libraries + or container images. + measure: Digitally signing artifacts for all steps during the build and especially + docker images, helps to ensure their integrity and authenticity. + description: "To perform a push to a GitHub repository, you must be authenticated. + It's important to note that GitHub does not verify if the authenticated user's + email address matches the one in the commit.\nTo clearly identify the author + of a commit for reviewers, commit signing is recommended.\n\nGitHub actions + such as [semantic-release-action](https://github.com/cycjimmy/semantic-release-action) + do not automatically sign commits and may encounter issues as a result. \n\nTo + address this, you can refer to a working configuration example in the [workflow + folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml) + of DSOMM, which demonstrates how to use semantic release action in conjunction + with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action).\nFor + added security, consider using [Fine-grained personal access tokens](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) + provided by your organization for a specific repository. Store the Personal + Access Token (PAT) as a secret in your project." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 5 + implementation: + - uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6 + name: Docker Content Trust + tags: [] + url: https://docs.docker.com/engine/security/trust/ + - uuid: 6e9d8c14-ba3b-4698-afc3-365b4ab6fb1f + name: in-toto + tags: [] + url: https://in-toto.github.io/ + dependsOn: + - Defined build process + - Pinning of artifacts + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Signing of code: + uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 + risk: Execution or usage of malicious code or data e.g. via executables, libraries + or container images. + measure: Digitally signing commits helps to prevent unauthorized manipulation + of source code. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: d6d755d3-b9f1-4942-a084-e62b266541df + name: Signing of commits + tags: + - signing + url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work + description: Signing of commits in git + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + dependsOn: + - Defined build process + references: + samm2: + - I-SB-2-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deployment: + Blue/Green Deployment: + uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97 + risk: A new artifact's version can have unknown defects. + measure: |- + Using a blue/green deployment strategy increases application availability + and reduces deployment risk by simplifying the rollback process if a deployment fails. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 5 + implementation: + - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2 + name: Blue/Green Deployments + tags: [] + url: https://martinfowler.com/bliki/BlueGreenDeployment.html + dependsOn: + - Smoke Test + references: + samm2: + - TODO + iso27001-2017: + - 17.2.1 + - 12.1.1 + - 12.1.2 + - 12.1.4 + - 12.5.1 + - 14.2.9 + iso27001-2022: + - 8.14 + - 5.37 + - 8.31 + - 8.32 + - 8.19 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined decommissioning process: + uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2 + description: |- + The decommissioning process in the context of Docker and Kubernetes involves + retiring Docker containers, images, and Kubernetes resources that are no longer + needed or have been replaced. This process must be carefully executed to avoid + impacting other services and applications. + risk: Unused applications are not maintained and may contain vulnerabilities. + Once exploited they can be used to attack other applications or to perform + lateral movements within the organization. + measure: A clear decommissioning process ensures the removal of unused applications + from the `Inventory of production components` and if implemented from `Inventory + of production artifacts`. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 2 + references: + samm2: + - O-OM-2-B + iso27001-2017: + - 11.2.7 + iso27001-2022: + - 7.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined deployment process: + uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a + risk: Deployment of insecure or malfunctioning artifacts. + measure: Defining a deployment process ensures that there are established criteria + in terms of functionalities, security, compliance, and performance, and that + the artifacts meet them. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + dependsOn: + - Defined build process + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + references: + samm2: + - I-SD-1-A + iso27001-2017: + - 12.1.1 + - 14.2.2 + iso27001-2022: + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Environment depending configuration parameters (secrets): + uuid: df428c9d-efa0-4226-9f47-a15bb53f822b + risk: Unauthorized access to secrets stored in source code or in artifacts (e.g. + container images) through process listing (e.g. ps -ef). + measure: Set configuration parameters via environment variables stored using + specific platform functionalities or secrets management systems (e.g. Kubernetes + secrets or Hashicorp Vault). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: e3a2ffc8-313f-437e-9663-b24591568209 + name: Hashicorp Vault + tags: + - authentication + - authorization + - secrets + - infrastructure + url: https://github.com/hashicorp/vault + description: | + A tool for secrets management, encryption as a service, and privileged access management. + references: + samm2: + - I-SD-1-B + iso27001-2017: + - 9.4.5 + - 14.2.6 + iso27001-2022: + - 8.4 + - 8.31 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b + tags: + - secret + teamsImplemented: + Default: false + B: false + C: false + Evaluation of the trust of used components: + uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba + risk: Application and system components like Open Source libraries or images + can have implementation flaws or deployment flaws. Developers or operations + might start random images in the production cluster which have malicious code + or known vulnerabilities. + measure: Each components source is evaluated to be trusted. For example the + source, number of developers included, email configuration used by maintainers + to prevent maintainer account theft, typo-squatting, ... Create image assessment + criteria, perform an evaluation of images and create a whitelist of artifacts/container + images/virtual machine images. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 2a76300f-6b1f-4a51-b925-134c36b723af + name: Kubernetes Admission Controller can whitelist registries and/or whitelist + a signing key. + tags: [] + url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d + - uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a + name: packj + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://github.com/ossillate-inc/packj + description: | + Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI. + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Handover of confidential parameters: + uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a + risk: Parameters are often used to set credentials, for example by starting + containers or applications; these parameters can often be seen by any one + listing running processes on the target system. + measure: Encryption ensures confidentiality of credentials e.g. from unauthorized + access on the file system. Also, the usage of a credential management system + can help protect credentials. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: "" + dependsOn: + - Environment depending configuration parameters (secrets) + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 14.1.3 + - 13.1.3 + - 9.4.3 + - 9.4.1 + - 10.1.2 + iso27001-2022: + - 8.33 + - 8.22 + - 5.17 + - 8.3 + - 8.24 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a + tags: + - secret + teamsImplemented: + Default: false + B: false + C: false + Inventory of production artifacts: + uuid: 83057028-0b77-4d2e-8135-40969768ae88 + risk: In case a vulnerability of severity high or critical exists, it needs + to be known where an artifacts (e.g. container image) with that vulnerability + is deployed. + measure: A documented inventory of artifacts in production like container images + exists (gathered manually or automatically). + dependsOn: + - Defined deployment process + - Inventory of production components + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88 + tags: + - inventory + teamsImplemented: + Default: false + B: false + C: false + Inventory of production components: + uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f + risk: An organization is unaware of components like applications in production. + Not knowing existing applications in production leads to not assessing it. + measure: |- + A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production. + In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. + dependsOn: + - Defined deployment process + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 1 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f + tags: + - inventory + teamsImplemented: + Default: false + B: false + C: false + Inventory of production dependencies: + uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6 + risk: Delayed identification of components and their vulnerabilities in production. + In case a vulnerability is known by the organization, it needs to be known + where an artifacts with that vulnerability is deployed with which dependencies. + measure: A documented inventory of dependencies used in artifacts like container + images and containers exists. + dependsOn: + - Inventory of production artifacts + - SBOM of components + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 3 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6 + comments: "" + tags: + - inventory + - sbom + teamsImplemented: + Default: false + B: false + C: false + Rolling update on deployment: + uuid: 85d52588-f542-4225-a338-20dc22a5508d + risk: While a deployment is performed, the application can not be reached. + measure: A deployment without downtime is performed*. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 3 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + - uuid: a71ce8f8-fd4a-4240-8b46-64a6cdb5dfdb + name: Webserver + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:WebServer/ + - uuid: ee2eb94b-7204-40d8-97da-43c7b1296e2e + name: rolling update + tags: [] + dependsOn: + - Defined deployment process + references: + samm2: + - I-SD-1-A + iso27001-2017: + - 12.5.1 + - 14.2.2 + - 17.2.1 + iso27001-2022: + - 8.19 + - 8.32 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Same artifact for environments: + uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f + risk: Building of an artifact for different environments means that an untested + artifact might reach the production environment. + measure: Building an artifact once and deploying it to different environments + means that only tested artifacts are allowed to reach the production environment + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 4 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 14.3.1 + - 14.2.8 + - 12.1.4 + iso27001-2022: + - 8.33 + - 8.29 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of feature toggles: + uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad + risk: Using environment variables to enable or disable features can lead to + a situation where a feature is accidentally enabled in the production environment. + measure: Usage of environment independent configuration parameter, called static + feature toggles, mitigates the risk of accidentally enabling insecure features + in production. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 2 + level: 4 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + - uuid: 83be6c60-6633-4c32-98de-7ae065c143c9 + name: Feature Toggles + tags: + - development + - architecture + url: https://martinfowler.com/articles/feature-toggles.html + description: | + Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson) + dependsOn: + - Same artifact for environments + references: + samm2: [] + iso27001-2017: + - 14.3.1 + - 14.2.8 + - 14.2.9 + - 12.1.4 + iso27001-2022: + - 8.33 + - 8.29 + - 8.31 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Patch Management: + A patch policy is defined: + uuid: 99415139-6b50-441b-89e1-0aa59accd43d + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: A patch policy for all artifacts (e.g. in images) is defined. How often + is an image rebuilt? + difficultyOfImplementation: + knowledge: 3 + time: 1 + resources: 2 + usefulness: 4 + level: 1 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + - 12.5.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.19 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/99415139-6b50-441b-89e1-0aa59accd43d + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated PRs for patches: + uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 + risk: Components with known (or unknown) vulnerabilities might stay for long + and get exploited, even when a patch is available. + measure: |- + Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes + * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 1 + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971 + name: Jenkins + tags: [] + url: https://www.jenkins.io/ + - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 + name: terraform + tags: + - IaC + url: https://www.terraform.io/ + description: | + Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - "8.8" + - "8.27" + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/8ae0b92c-10e0-4602-ba22-7524d6aed488 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated deployment of automated PRs: + uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d + description: Automated merges of automated created PRs for outdated dependencies. + risk: Even if automated dependencies PRs are merged, they might not be deployed. + This results in vulnerabilities in running artifacts stay for too long and + might get exploited. + measure: | + After merging of an automated dependency PR, automated deployment is needed, + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + dependsOn: + - Automated merge of automated PRs + implementation: + - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 + name: terraform + tags: + - IaC + url: https://www.terraform.io/ + description: | + Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. + - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f + name: argoCD + tags: + - deployment + url: https://argo-cd.readthedocs.io/en/stable/ + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/08f27c26-2c6a-47fe-9458-5e88f188085d + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated merge of automated PRs: + uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb + description: Automated merges of automated created PRs for outdated dependencies. + risk: Vulnerabilities in running artifacts stay for too long and might get exploited. + measure: | + A good practice is to merge trusted dependencies (e.g. spring boot) after a grace period like one week. + Often, patches, fixes and minor updates are automatically merged. Be aware that automated merging requires a high + automated test coverage. Enforcement of merging of pull requests after a grace period. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + dependsOn: + - Automated PRs for patches + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Nightly build of images (base images): + uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057 + description: |- + A base image is a pre-built image that serves as a starting point for building + new images or containers. These base images usually include an operating system, + necessary dependencies, libraries, and other components that are required to run + a specific application or service. Nightly builds of custom base images refer to + an automated process that occurs daily or on a scheduled basis, usually during + nighttime or off-peak hours, to create updated versions of custom base images. + risk: Vulnerabilities in running containers stay for too long and might get + exploited. + measure: Custom base images are getting build at least nightly. In case the + packages in the base image e.g. centos has changed, the build server + triggers the build of depending images. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/34869eaf-f2e1-4926-b0bd-28c43402f057 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Reduction of the attack surface: + uuid: 16e39c8f-5336-4001-88ed-a552d2447531 + description: |- + Distroless images are minimal, stripped-down base images that contain only the + essential components required to run your application. They do not include package + managers, shells, or any other tools that are commonly found in standard Linux + distributions. Using distroless images can help reduce the attack surface and + overall size of your container images. + risk: Components, dependencies, files or file access rights might have vulnerabilities, + but the they are not needed. + measure: Removal of unneeded components, dependencies, files or file access + rights. For container images the usage of distroless images is recommended. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: ef647044-b675-47d3-9720-3ebc144ef37b + name: Distroless + tags: [] + url: https://github.com/GoogleContainerTools/distroless + - uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a + name: Fedora CoreOS + tags: [] + url: https://getfedora.org/coreos + - uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd + name: Distroless or Alpine + tags: [] + url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22 + references: + samm2: + - I-SB-2 + iso27001-2017: + - hardening is missing in ISO 27001 + - 14.2.1 + iso27001-2022: + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/16e39c8f-5336-4001-88ed-a552d2447531 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of a maximum lifetime for images: + uuid: 485a3383-7f2e-4dba-bb84-479377070904 + description: |- + The maximum lifetime for a Docker container refers to the duration a container + should be allowed to run before it is considered outdated, stale, or insecure. + There is not a fixed, universally applicable maximum lifetime for a Docker + container, as it varies depending on the specific use case, application + requirements, and security needs. As a best practice, it is essential to define + a reasonable maximum lifetime for containers to ensure that you consistently + deploy the most recent, patched, and secure versions of both your custom base + images and third-party images. + risk: Vulnerabilities in images of running containers stay for too long and + might get exploited. Long running containers have potential memory leaks. + A compromised container might get killed by restarting the container (e.g. + in case the attacker has not reached the persistence layer). + measure: A short maximum lifetime for images is defined, e.g. 30 days. The project + images, based on the nightly builded images, are deployed at leased once within + the defined lifetime. Third Party images are deployed at leased once within + the defined lifetime. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/485a3383-7f2e-4dba-bb84-479377070904 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of a short maximum lifetime for images: + uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e + description: |- + The maximum lifetime for a Docker container refers to the duration a container + should be allowed to run before it is considered outdated, stale, or insecure. + There is not a fixed, universally applicable maximum lifetime for a Docker + container, as it varies depending on the specific use case, application + requirements, and security needs. As a best practice, it is essential to define + a reasonable maximum lifetime for containers to ensure that you consistently + deploy the most recent, patched, and secure versions of both your custom base + images and third-party images. + risk: Vulnerabilities in running containers stay for too long and might get + exploited. + measure: | + A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: 1a463242-b480-46f6-a912-b51ec1c1558d + name: "Sample concept: \n(1" + tags: [] + description: "Sample concept: \n(1) each container has a set lifetime and + is killed / replaced with a new container multiple times a day where you + have some form of a graceful replacement to ensure no (short) service outage + will occur to the end users. \n(2) twice a day a rebuild of images is done. + The rebuilds are put into a automated testing pipeline. If the testing has + no blocking issues the new images will be released for deployment during + the next \"restart\" of a container. What has to be done, is to ensure the + new containers are deployed in some canary deployment manner, this will + ensure that if (and only if) something buggy has been introduced which breaks + functionality the canary deployment will make sure the \"older version\" + is being used and not the buggy newer one." + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false +Culture and Organization: + Design: + Conduction of advanced threat modeling: + uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 + risk: Inadequate identification of business and technical risks. + measure: Threat modeling is performed by using reviewing user stories and producing + security driven data flow diagrams. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Conduction of simple threat modeling on technical level + - Creation of threat modeling processes and standards + description: | + **Example High Maturity Scenario:** + + Based on a detailed threat model defined and updated through code, the team decides the following: + + * Local encrypted caches need to expire and auto-purged. + * Communication channels encrypted and authenticated. + * All secrets persisted in shared secrets store. + * Frontend designed with permissions model integration. + * Permissions matrix defined. + * Input is escaped output is encoded appropriately using well established libraries. + + Source: OWASP Project Integration Project + implementation: + - uuid: c0533602-11b7-4838-93cc-a40556398163 + name: Whiteboard + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://en.wikipedia.org/wiki/Whiteboard + - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 + name: Miro (or any other collaborative board) + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://miro.com/ + - uuid: 088794c4-3424-40d4-9084-4151587fc84d + name: Draw.io + tags: + - defender + - threat-modeling + - whiteboard + url: https://github.com/jgraph/drawio-desktop + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c + name: Threagile + tags: + - threat-modeling + url: https://github.com/Threagile/threagile + - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 + name: Threat Matrix for Storage + url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ + tags: + - documentation + - storage + - cluster + - kubernetes + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of simple threat modeling on business level: + uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426 + risk: Business related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of business functionality is performed during the product + backlog creation to facilitate early detection of security defects. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of simple threat modeling on technical level: + uuid: 47419324-e263-415b-815d-e7161b6b905e + risk: Technical related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of technical features is performed during the product + sprint planning. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: c0533602-11b7-4838-93cc-a40556398163 + name: Whiteboard + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://en.wikipedia.org/wiki/Whiteboard + - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 + name: Miro (or any other collaborative board) + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://miro.com/ + - uuid: 088794c4-3424-40d4-9084-4151587fc84d + name: Draw.io + tags: + - defender + - threat-modeling + - whiteboard + url: https://github.com/jgraph/drawio-desktop + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 + name: Threat Matrix for Storage + url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ + tags: + - documentation + - storage + - cluster + - kubernetes + description: | + # OWASP SAMM Description + Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. + + Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system. + + At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use. + + Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. + + Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + # OWASP Project Integration Description + There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. + + A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). + + OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). + + There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another. + + > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._ + + ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") + + Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. + + ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") + + This practice has the side effect that it trains non-security specialists to think like attackers. + + The outcomes of this stage should help lay the foundation of secure design and considerations. + + **Example Low Maturity Scenario:** + + Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. + + Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext. + + Frontend serves data over GraphQL as a thin layer between caching system and end user. + + GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. + + Source: OWASP Project Integration Project + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of advanced abuse stories: + uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e + risk: Simple user stories are not going deep enough. Relevant security considerations + are performed. Security flaws are discovered too late in the development and + deployment process + measure: Advanced abuse stories are created as part of threat modeling activities. + difficultyOfImplementation: + knowledge: 4 + time: 2 + resources: 1 + usefulness: 4 + level: 5 + dependsOn: + - Creation of simple abuse stories + implementation: + - uuid: bb5b8988-021b-452a-a914-bd36887b6860 + name: Don't Forget EVIL User stories + tags: [] + url: https://www.owasp.org/index.php/Agile_Software_Development + description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + and [Practical Security Stories and Security Tasks for Agile Development + Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 6.1.5 + - May be part of risk assessment + - 8.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 5.8 + - May be part of risk assessment + - 5.9 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of simple abuse stories: + uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1 + risk: User stories mostly don't consider security implications. Security flaws + are discovered too late in the development and deployment process. + measure: Abuse stories are created during the creation of user stories. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: bb5b8988-021b-452a-a914-bd36887b6860 + name: Don't Forget EVIL User stories + tags: [] + url: https://www.owasp.org/index.php/Agile_Software_Development + description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + and [Practical Security Stories and Security Tasks for Agile Development + Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + dependsOn: + - Conduction of simple threat modeling on technical level + - Creation of threat modeling processes and standards + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 6.1.5 + - May be part of risk assessment + - 8.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 5.8 + - May be part of risk assessment + - 5.9 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of threat modeling processes and standards: + uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e + risk: Inadequate identification of business and technical risks. + measure: Creation of threat modeling processes and standards through the organization + helps to enhance the security culture and provide more structure to the threat + model exercises. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + description: "" + implementation: + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + dependsOn: + - Conduction of simple threat modeling on technical level + references: + samm2: + - D-TA-3-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Information security targets are communicated: + uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 + risk: Employees don't know their organizations security targets. Therefore security + is not considered during development and administration as much as it should + be. + measure: Transparent and timely communication of the security targets by senior + management is essential to ensure teams' buy-in and support. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 5.1.1 + - 7.2.1 + iso27001-2022: + - 5.1 + - 5.4 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Education and Guidance: + Ad-Hoc Security trainings for software developers: + uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298 + risk: Understanding security is hard and personnel needs to be trained on it. + Otherwise, flaws like an SQL Injection might be introduced into the software + which might get exploited. + measure: Provide security awareness training for all personnel involved in software + development Ad-Hoc. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training + url: https://github.com/bkimminich/juice-shop + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Aligning security in teams: + uuid: f994a55d-71bb-45a4-a887-0a213d72c504 + risk: The concept of Security Champions might suggest that only he/she is responsible + for security. However, everyone in the project team should be responsible + for security. + measure: By aligning security Subject Matter Experts with project teams, a higher + security standard can be achieved. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 1 + usefulness: 5 + implementation: + - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3 + name: Involve Security SME + tags: [] + description: Security SME are involved in discussion for requirements analysis, + software design and sprint planning to provide guidance and suggestions. + level: 4 + references: + samm2: + - G-EG-3-B + iso27001-2017: + - 7.1.1 + iso27001-2022: + - 6.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of build-it, break-it, fix-it contests: + uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8 + risk: Understanding security is hard, even for security champions and the conduction + of security training often focuses on breaking a component instead of building + a component secure. + measure: The build-it, break-it, fix-it contest allows to train people with + security related roles like security champions the build, break and fix part + of a secure application. This increases the learning of building secure components. + difficultyOfImplementation: + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f + name: Build it Break it Fix it Contest + tags: [] + url: https://builditbreakit.org/ + references: + samm2: + - G-EG-2-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of collaborative security checks with developers and system administrators: + uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2 + risk: Security checks by external companies do not increase the understanding + of an application/system for internal employees. + measure: Periodically security reviews of source code (SCA), in which security + SME, developers and operations are involved, are effective at increasing the + robustness of software and the security knowledge of the teams involved. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 5 + implementation: [] + references: + samm2: + - G-EG-2-A + iso27001-2017: + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 7.2.2 + - 12.6.1 + - 12.7.1 + iso27001-2022: + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 6.3 + - 8.8 + - 8.34 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of collaborative team security checks: + uuid: 35446784-7610-40d9-af9e-d43f3173bf8c + risk: Development teams limited insight over security practices. + measure: Mutual security testing the security of other teams project enhances + security awareness and knowledge. + difficultyOfImplementation: + resources: 2 + knowledge: 4 + time: 4 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - G-EG-1-A + - G-EG-2-A + iso27001-2017: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 7.2.2 + iso27001-2022: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of war games: + uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694 + risk: Understanding incident response plans during an incident is hard and ineffective. + measure: War Games like activities help train for incidents. Security SMEs create + attack scenarios in a testing environment enabling the trainees to learn how + to react in case of an incident. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 4 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - G-EG-2-A + iso27001-2017: + - War games are not explicitly required in ISO 27001 may be + - 7.2.2 + - 16.1 + - 16.1.5 + iso27001-2022: + - War games are not explicitly required in ISO 27001 may be + - 6.3 + - 5.24 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Each team has a security champion: + uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 + risk: No one feels directly responsible for security and the security champion + does not have enough time to allocate to each team. + measure: Each team defines an individual to be responsible for security. These + individuals are often referred to as 'security champions' + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + description: | + Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons. + + The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface. + + [Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/) + implementation: + - uuid: c191a515-3c10-4903-a889-70c8021f2ea1 + name: OWASP Security Champions Playbook + tags: + - security champions + url: https://github.com/c0rdis/security-champions-playbook + references: + samm2: + - G-EG-1-B + - G-EG-2-B + iso27001-2017: + - Security champions are missing in ISO 27001 most likely + - 7.2.1 + - 7.2.2 + iso27001-2022: + - Security champions are missing in ISO 27001 most likely + - 5.4 + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Office Hours: + uuid: 185d5a74-19dc-4422-be07-44ea35226783 + risk: Developers and Operations are not in contact with the security team and + therefore do not ask prior implementation of (known or unknown) threats- + measure: As a security team, be open for questions and hints during defined + office hours. x x d + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 3 + implementation: ~ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/185d5a74-19dc-4422-be07-44ea35226783 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training for all: + uuid: 9768f154-357a-4c06-af6f-d66570677c9b + risk: Understanding security is hard. + measure: Provide security awareness training for all internal personnel involved + in software development on a regular basis like twice in a year for 1-3 days. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 4 + level: 2 + description: | + Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option. + + Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level. + + Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization. + + [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) + implementation: + - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 + name: OWASP JuiceShop + tags: [] + url: https://github.com/bkimminich/juice-shop + description: |- + In case you do not have the budget to hire an external security expert, an option + is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/9768f154-357a-4c06-af6f-d66570677c9b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training for externals: + uuid: 31833d56-35af-4ef3-9300-f23d27646ce7 + risk: Understanding security is hard. + measure: Provide security awareness training for all personnel including externals + involved in software development on a regular basis. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 + name: OWASP JuiceShop + tags: [] + url: https://github.com/bkimminich/juice-shop + description: |- + In case you do not have the budget to hire an external security expert, an option + is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba + name: https://cheatsheetseries.owasp.org/ + tags: + - training + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-3-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training of security champions: + uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 + risk: Understanding security is hard, even for security champions. + measure: Regular security training of security champions. + assessment: | + - Process Documentation: TODO + - Training Content: TOODO + difficultyOfImplementation: + knowledge: 4 + time: 2 + resources: 2 + usefulness: 5 + level: 2 + implementation: + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + dependsOn: + - Each team has a security champion + references: + samm2: + - D-TA-2-B + - G-EG-1-A + iso27001-2017: + - Security champions are missing in ISO 27001 + - 7.2.2 + iso27001-2022: + - Security champions are missing in ISO 27001 + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Reward of good communication: + uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c + risk: Employees are not getting excited about security. + measure: Good communication and transparency encourages cross-organizational + support. Gamification of security is also known to help, examples include + T-Shirts, mugs, cups, gift cards and 'High-Fives'. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 8e1b4a8a-c53b-4b1e-90f6-c60b7e225098 + name: Motivate people + tags: + - security champions + - gamification + - nudging + url: https://github.com/wurstbrot/security-pins + description: |- + Enhance motivation can be performed with the distribution of pins + as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins) + - uuid: 22b63bdb-2003-4ac0-969d-b1e5268c2510 + name: OWASP Top 10 Maturity Categories for Security Champions + tags: + - security champions + url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx + references: + samm2: + - G-EG-1-B + iso27001-2017: + - not required by ISO 27001 + - interestingly enough A7.2.3 is requiring a process to handle misconduct + but nothing to promote good behavior. + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security Coaching: + uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + risk: Training does not change behaviour. Therefore, even if security practices + are understood, it's likely that they are not performed. + measure: By coaching teams on security topics using for example the samman coaching + method, teams internalize security practices as new habits in their development + process. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + implementation: + - uuid: 9223be73-00da-400e-a910-3871734cff2f + name: sammancoaching + tags: + - documentation + - coaching + - education + url: https://sammancoaching.org/ + description: | + Security coaches work with software development teams to help them adopt better security practices. + level: 3 + references: + samm2: + - G-EG-3-B + iso27001-2017: + - 7.1.1 + iso27001-2022: + - 6.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security code review: + uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57 + risk: Understanding security is hard. + measure: | + The following areas of code tend to have a high-risk of containing security vulnerabilities: + - Crypto implementations / usage + - Parser, unparser + - System configuration + - Authentication, authorization + - Session management + - Request throttling + - :unicorn: (self-developed code, only used in that one software) + description: | + ### Benefits + - New vulnerabilities may be found before reaching production. + - Old vulnerabilities are found and fixed. + assessment: | + - Present the performed reviews (including participants, findings, consequences) and assess whether it is reasonable. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: c77f7ecd-76de-4611-bd6d-5b249f910c39 + name: CWE Top 25 Most Dangerous Software Weaknesses + tags: + - documentation + - threat + url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html + credits: | + AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + references: + samm2: + - V-ST-1-B + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security consulting on request: + uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 + risk: Not asking a security expert when questions regarding security appear + might lead to flaws. + measure: Security consulting to teams is given on request. The security consultants + can be internal or external. + difficultyOfImplementation: + knowledge: 3 + time: 1 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - security consulting is missing in ISO 27001 may be + - 6.1.1 + - 6.1.4 + - 6.1.5 + iso27001-2022: + - Security consulting is missing in ISO 27001 may be + - 5.2 + - 5.6 + - 5.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security-Lessoned-Learned: + uuid: 58c46807-fee9-448b-b6dd-8050c464ab52 + risk: After an incident, a similar incident might reoccur. + measure: Running a 'lessons learned' session after an incident helps drive continuous + improvement. Regular meetings with security champions are a good place to + share and discuss lessons learned. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - O-IM-3-B + iso27001-2017: + - 16.1.6 + iso27001-2022: + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple mob hacking: + uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de + risk: Understanding security is hard. + measure: | + Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild. + In the session the guild presents a vulnerable application and together you look at possible exploits. + Just like in mob programming there is one driver and several navigators. + description: | + ### Guidelines for your simple mob hacking session + - All exploits happen via the user interface. + - No need for security/hacking tools. + - No need for deep technical or security knowledge. + - Use an insecure training app, e.g., [DVWA](https://dvwa.co.uk/) or [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/). + - Encourage active participation, e.g., use small groups. + - Allow enough time for everyone to run at least one exploit. + + ### Benefits + - The team gets an idea of how exploits can look like and how easy applications can be attacked. + - The team understands functional correct working software can be highly insecure and easy to exploit. + difficultyOfImplementation: + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + credits: | + AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + implementation: + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training + url: https://github.com/bkimminich/juice-shop + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529 + name: Damn Vulnerable Web Application + tags: + - training + description: Simple Application with intended vulnerabilities. HTML based. + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Process: + Approval by reviewing any new version: + uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1 + risk: An individual might forget to implement security measures to protect source + code or infrastructure components. + measure: On each new version (e.g. Pull Request) of source code or infrastructure + components a security peer review of the changes is performed (two eyes principle) + and approval given by the reviewer. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: [] + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Definition of a change management process: + uuid: b4193d32-3948-47e2-a326-3748c48019a1 + risk: The impact of a change is not controlled because these are not recorded + or documented. + measure: Each change of a system is automatically recorded and adequately logged. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 14.2.2 + - 12.1.2 + - 12.4.1 + iso27001-2022: + - 8.32 + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Definition of simple BCDR practices for critical components: + uuid: c72da779-86cc-45b1-a339-190ce5093171 + description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan + and a process that helps a business to return to normal operations if a disaster + occurs. + risk: If the disaster recovery actions are not clear, you risk slow reaction + and remediation delays. This applies to cyber attacks as well as natural emergencies, + such as a power outage. + measure: By understanding and documenting a business continuity and disaster + recovery (BCDR) plan, the overall availability of systems and applications + is increased. Success factors like responsibilities, Service Level Agreements, + Recovery Point Objectives, Recovery Time Objectives or Failover must be fully + documented and understood by the people involved in the recovery. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 4 + level: 1 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 17.1.1 + iso27001-2022: + - 5.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Determining the protection requirement: + uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d + risk: "Not defining the protection requirement of applications can lead to wrong + prioritization, delayed remediation of \ncritical security issues, increasing + the risk of exploitation and potential damage to the organization." + measure: "Defining the protection requirement. \nThe protection requirements + for an application should consider:\n- Processed data criticality\n- Application + accessibility (internal vs. external)\n- Regulatory compliance\n- Other relevant + factors" + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + dependsOn: + - Inventory of production components + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false +Implementation: + Application Hardening: + App. Hardening Level 1: + uuid: cf819225-30cb-4702-8e32-60225eedc33d + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 1 + * OWASP Mobile Application Security Verification Standard + + in all applications provides a good baseline. Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + dependsOn: + - App. Hardening Level 1 (50%) + description: | + To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely. + + [...] + + ### Planning aka Requirements Gathering & Analysis + The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. + + ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) + + Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. + + These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. + + In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. + + Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + - uuid: 596cb528-8981-4723-bcc3-22c261f26114 + name: API Security Maturity Model for Authorization + tags: + - api + url: https://curity.io/resources/learn/the-api-security-maturity-model/ + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/cf819225-30cb-4702-8e32-60225eedc33d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 1 (50%): + uuid: b597928e-54d6-48a5-a806-8003dcd56aab + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 1 + * OWASP Mobile Application Security Verification Standard + + in all applications provides a good baseline. Implement 50% of the recommendations. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + description: | + To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely. + + [...] + + ### Planning aka Requirements Gathering & Analysis + The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. + + ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) + + Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. + + These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. + + In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. + + Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + - uuid: 596cb528-8981-4723-bcc3-22c261f26114 + name: API Security Maturity Model for Authorization + tags: + - api + url: https://curity.io/resources/learn/the-api-security-maturity-model/ + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/b597928e-54d6-48a5-a806-8003dcd56aab + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 2: + uuid: ffe86caf-2fec-4630-b514-2db83983984d + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 4 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-2-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/ffe86caf-2fec-4630-b514-2db83983984d + comments: "" + dependsOn: + - App. Hardening Level 2 (75%) + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 2 (75%): + uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7 + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 75% of the recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-2-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7 + comments: "" + dependsOn: + - App. Hardening Level 1 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 3: + uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 3 + * OWASP Mobile Application Security Verification Standard + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 4 + level: 5 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a + dependsOn: + - App. Hardening Level 2 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Containers are running as non-root: + uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f + risk: |- + There are various reasons to run a container as non-root. Samples are listed: + ## Container Escape Vectors + + - Root privileges significantly increase the chance of breaking container isolation + - Root access can be leveraged to exploit kernel vulnerabilities + - Compromised root containers provide attackers with maximum privileges inside the container + - Greater potential for escaping container boundaries to the host system + + ## Host System Vulnerabilities + + Root containers can potentially: + + - Mount sensitive host filesystems + - Access critical device files + - Modify host network settings + - Interact with host system processes + - Override security controls + + ## Resource Management Issues + + Root privileges may allow containers to: + + - Bypass resource quotas and limits + - Modify control group (cgroup) settings + - Interfere with other containers' resources + - Circumvent memory and CPU restrictions + + Security Boundary Weakening + + - Violates the principle of least privilege + - Provides unnecessary elevated permissions + - Expands the potential attack surface + - Increases the impact of a successful compromise + measure: "Containers are running as non-root. This can be enforced in the image + itself or during runtime parameters \n(e.g. `podman run --user [...]`)." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Context-aware output encoding: + uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7 + description: "**Input validation** stops malicious data from entering your system. + \\\n**Output encoding** neutralizes malicious data before rendering to user, + or the next system.\n\nInput validation and output encoding work together. + Apply both. \n\n**Context-aware output encoding** encodes data differently, + depending on its context. In the sample below the `{{bad_data}}` must be encoded + differently, depending on its context, to render safe HTML.\n\n```html\n
{{bad_data}}
\nClick me\n\n\n``` \n" + risk: If an attacker manages to slip though your input validation, the attacker + may gain control over the user session or execute arbitrary actions. + measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The + default method here renders data in a safe way.\n* Use established and well-maintained + encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s + AntiXSS.\n* Implement content security policies (CSP) to restrict the types + of content that can be loaded and executed.\n" + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 2d61e48f-bade-4332-a383-adc50c29673a + name: OWASP DOM based XSS Prevention CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + tags: [] + - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc + name: CWE-838 Inappropriate Encoding for Output Context + tags: + - documentation + - cwe + url: https://cwe.mitre.org/data/definitions/838.html + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Parametrization: + uuid: 00e91a8a-3972-4692-8679-674ab8547486 + description: | + By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well. + + This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed. + + Pay attention to these two lines of code. They seem similar, but behave very differently. + + * `sql.execute("SELECT * FROM table WHERE ID = " + id);` + * `sql.execute("SELECT * FROM table WHERE ID = ?", id);` + The second line is parameterized. The same principle applies to other types, such as command line execution, etc. + risk: "Systems vulnerable to injections may lead to data breaches, loss of data, + \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis + applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n" + measure: | + * Identify which of the types your application is using. Check that you use: + * Use _parametrized queries_ (or _prepared statements_) + * For database queries, you may also use: + * Use _stored procedures_ () + * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4 + name: OWASP Parameterization CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + tags: [] + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/00e91a8a-3972-4692-8679-674ab8547486 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Secure headers: + uuid: 29318d60-18ce-4526-80ea-f5928e49f639 + risk: | + Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.: + - Cross-Site Scripting (XSS) due to missing Content Security Policy + - Clickjacking attacks due to missing X-Frame-Options + - Information disclosure through Server header exposure + - SSL/TLS downgrade attacks due to missing HSTS + - Cross-site scripting and injection due to missing security headers + measure: | + Implement and enforce security headers across all applications and services + + Implementation Methods: + 1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level + 2. Web Application: Implement in the application middleware + 3. Service Mesh: Configure at the ingress controller level + 4. Standard Docker Image: Use secure base images with preset headers + + Remove or Secure: + - Server header: Hide server version information + - X-Powered-By: Remove technology stack information + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e + name: OWASP Secure Headers Project + tags: + - header + - documentation + url: https://owasp.org/www-project-secure-headers/ + description: "The OWASP Secure Headers Project (also called OSHP) describes + HTTP response headers that your application can use \nto increase the security + of your application. Once set, these HTTP response headers can restrict + modern browsers \nfrom running into easily preventable vulnerabilities. + The OWASP Secure Headers Project intends to raise awareness\nand use of + these headers." + meta: + implementationGuide: | + Essential headers: + - Content-Security-Policy: Define trusted sources for content + - Strict-Transport-Security: Enforce HTTPS connections + - X-Frame-Options: Prevent clickjacking attacks + - X-Content-Type-Options: Prevent MIME-type sniffing + - X-XSS-Protection: Enable browser's XSS filtering + - Referrer-Policy: Control information in the Referrer header + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/cre/620-421 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Development and Source Control: + .gitignore: + uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d + risk: Unintended leakage of secrets, debug, or workstation specific data + measure: .gitignore files help prevent accidental commits of secrets, debug, + or workstation specific data + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 5 + level: 4 + dependsOn: [] + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + - 14.2.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Block force pushes: + uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + risk: "Misuse of force push can lead to loss of work. It may overwrite remote + \nbranches without warning, potentially erasing valuable contributions from + team members. This can disrupt collaboration, \ncause data loss, and create + confusion in the development process.\n\nBypassing the pull request process + might remove an important code review step. \nThis increases the risk of merging + low-quality or buggy code into the main branch, potentially introducing bugs + in the codebase." + measure: Mandate blocking of force pushes in the version control platform. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dismiss stale PR approvals: + uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162 + risk: Intentional or accidental alterations in critical branches like main (or + master) through post-approval code additions. + measure: Implement a policy where any commits made after a pull request has + been approved automatically revoke that approval, necessitating a fresh review + and re-approval process. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Local development linting & style checks performed: + uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474 + risk: Insecure or unmaintainable code base. + measure: Integrate static code analysis tools in IDEs. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 5 + description: "" + implementation: + - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe + name: How to enforce a consistent coding style in your projects + url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm + tags: + - ide + - linting + - uuid: aa5ded61-5380-4da6-9474-afc36a397682 + name: In-Depth Linting of Your TypeScript While Coding + url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding + tags: + - ide + - linting + references: + samm2: + - V-ST-1-A + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Require a PR before merging: + uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + risk: Intentional or accidental alterations in critical branches like main (or + master). + measure: Define source code management system policies (e.g. branch protection + rules, mandatory code reviews from at least one person, ...) to ensure that + changes to critical branches are only possible under defined conditions. These + policies can be implemented at repository level or organization level, depending + on the source code management system. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Require status checks to pass: + uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee + risk: Organizations risk introducing broken builds, quality issues, and security + vulnerabilities into their codebase. + measure: Mandate passing of security related specified status checks, like successful + builds or static application security tests, before proceeding. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Versioning: + uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f + risk: Deployment of untracked artifacts. + measure: Version artifacts in order to identify deployed features and issues. + This includes application and infrastructure code, jenkins configuration, + container and virtual machine images. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 1 + dependsOn: + - Defined deployment process + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + - 14.2.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Infrastructure Hardening: + Applications are running in virtualized environments: + uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873 + risk: Through a vulnerability in one service on a server, the attacker gains + access to other services running on the same server. + measure: Applications are running in a dedicated and isolated virtualized environments. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Backup: + uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc + risk: If errors are experienced during the deployment process you want to deploy + an old release. However, due to changes in the database this is often unfeasible. + measure: Performing automated periodical backups are used. Backup before deployment + can help facilitate deployments whilst testing the backup restore processes. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: ba7348e5-1abf-4c7d-8fbc-49f99460930b + name: A complete backup of persisted data might be performed*. + tags: [] + - uuid: 9af7624e-0729-4eeb-b257-ebaf65f70355 + name: A Point in Time Recovery for databases should be implemented. + tags: [] + dependsOn: + - Defined deployment process + references: + samm2: + - TODO + iso27001-2017: + - 12.3 + - 14.2.6 + iso27001-2022: + - 8.13 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Baseline Hardening of the environment: + uuid: 5992c38c-8597-4035-89db-d15820d81c3a + risk: Using default configurations for a cluster environment leads to potential + risks. + measure: Harden environments according to best practices. Level 1 and partially + level 2 from hardening practices like 'CIS Kubernetes Bench for Security' + should be considered. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff + name: CIS Kubernetes Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f + name: CIS Docker Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef + name: For example for Cont + tags: [] + description: 'For example for Containers: Deny running containers as root, + deny using advanced privileges, deny mounting of the hole filesystem, ...' + url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ + - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b + name: Attack Matrix Cloud + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for cloud + - uuid: 59881520-4c69-4922-a44e-99044a77de2b + name: Attack Matrix Containers + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for containers + - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 + name: Attack Matrix Kubernetes + tags: + - mitre + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Attack matrix for kubernetes + - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af + name: Defend the core kubernetes security at every layer + url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ + tags: + - documentation + - cluster + - kubernetes + references: + samm2: + - O-EM-1-A + iso27001-2017: + - system hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/5992c38c-8597-4035-89db-d15820d81c3a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Filter outgoing traffic: + uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d + risk: A compromised infrastructure component might try to send out stolen data. + measure: Having a whitelist and explicitly allowing egress traffic provides + the ability to stop unauthorized data leakage. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 2 + level: 3 + dependsOn: [] + implementation: + - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867 + name: Open Policy Agent + tags: [] + url: https://www.openpolicyagent.org/ + - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 + name: firewalls + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Hardening of the Environment: + uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33 + risk: Using default configurations for a cluster environment leads to potential + risks. + measure: Harden environments according to best practices. Level 2 and partially + level 3 from hardening practices like 'CIS Kubernetes Bench for Security' + should be considered. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff + name: CIS Kubernetes Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f + name: CIS Docker Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef + name: For example for Cont + tags: [] + description: 'For example for Containers: Deny running containers as root, + deny using advanced privileges, deny mounting of the hole filesystem, ...' + url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ + - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b + name: Attack Matrix Cloud + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for cloud + - uuid: 59881520-4c69-4922-a44e-99044a77de2b + name: Attack Matrix Containers + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for containers + - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 + name: Attack Matrix Kubernetes + tags: + - mitre + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Attack matrix for kubernetes + - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af + name: Defend the core kubernetes security at every layer + url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ + tags: + - documentation + - cluster + - kubernetes + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Immutable infrastructure: + uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833 + risk: The availability of IT systems might be disturbed due to components failures + measure: Redundancies in the IT systems + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + dependsOn: + - Infrastructure as Code + implementation: + - uuid: b206481f-9c66-45e2-843c-37c5730580cd + name: Remove direct access to infrastructure + tags: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 17.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Infrastructure as Code: + uuid: 8b994601-575e-4ea5-b228-accb18c8e514 + risk: No tracking of changes in systems might lead to errors in the configuration. + In additions, it might lead to unauthorized changes. An examples is jenkins. + measure: Systems are setup by code. A full environment can be provisioned. In + addition, software like Jenkins 2 can be setup and configured in in code too. + The code should be stored in a version control system. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 4 + usefulness: 4 + level: 3 + implementation: + - uuid: b0931397-2402-44f1-814b-63292ab4a339 + name: GitOps + tags: [] + url: https://www.redhat.com/en/topics/devops/what-is-gitops + - uuid: 73747d35-2185-4f22-94a0-723288fa283c + name: Ansible + tags: [] + url: https://github.com/ansible/ansible + - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce + name: Chef + tags: [] + url: https://github.com/chef/chef + - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982 + name: Puppet + tags: [] + url: https://github.com/puppetlabs/puppet + - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458 + name: Jenkinsfile + tags: [] + url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/8b994601-575e-4ea5-b228-accb18c8e514 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Isolated networks for virtual environments: + uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1 + risk: Virtual environments in default settings are able to access other virtual + environments on the network stack. By using virtual machines, it is often + possible to connect to other virtual machines. By using docker, one bridge + is used by default so that all containers on one host can communicate with + each other. + measure: The communication between virtual environments is controlled and regulated. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + dependsOn: [] + implementation: + - uuid: 9429d52c-203d-49ae-814f-1401210887cd + name: istio + tags: [] + url: https://istio.io/ + - uuid: fc0eda30-2bf7-466f-948e-e17584db9f30 + name: bridges + tags: [] + - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 + name: firewalls + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Limitation of system events: + uuid: e5386abf-9154-4752-a1a8-c3a8900f732d + risk: System events (system calls) can lead to privilege escalation. + measure: System calls are limited. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 5 + level: 3 + dependsOn: + - Audit of system events + implementation: + - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd + name: seccomp + tags: [] + url: https://man7.org/linux/man-pages/man2/seccomp.2.html + - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff + name: strace + tags: [] + url: https://man7.org/linux/man-pages/man1/strace.1.html + - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 + name: Falco + tags: + - falco + - systemcall + - monitoring + url: https://github.com/falcosecurity/falco + description: | + Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. + references: + samm2: + - O-EM-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + MFA: + uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de + risk: One factor authentication is more vulnerable to brute force attacks and + is considered less secure. + measure: Two ore more factor authentication for all accounts on all (important) + systems and applications + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: + - MFA for admins + implementation: + - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 + name: Smartcard + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 + name: YubiKey + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 + name: SMS + tags: [] + - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d + name: TOTP + tags: [] + url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.2.4 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.17 + - 5.3 + - 8.25 + d3f: + - Multi-factorAuthentication + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + MFA for admins: + uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57 + risk: One factor authentication is more vulnerable to brute force attacks and + is considered less secure. + measure: Two ore more factor authentication for all privileged accounts on systems + and applications + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 1 + implementation: + - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 + name: Smartcard + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 + name: YubiKey + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 + name: SMS + tags: [] + - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d + name: TOTP + tags: [] + url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.2.4 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.17 + - 5.3 + - 8.25 + d3f: + - Multi-factorAuthentication + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Microservice-architecture: + uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a + risk: Monolithic applications are hard to test. + measure: A microservice-architecture helps to have small components, which are + more easy to test. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 5 + usefulness: 1 + level: 5 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Production near environments are used by developers: + uuid: e14de741-94b3-447c-8b07-eea947d82e61 + risk: In case an errors occurs in production, the developer need to be able + to create a production near environment on a local development environment. + measure: Usage of infrastructure as code helps to create a production near environment. + The developer needs to be trained in order to setup a local development environment. + In addition, it should be possible to create production like test data. Often + personal identifiable information is anonymized in order to comply with data + protection laws. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + dependsOn: + - Defined deployment process + - Infrastructure as Code + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 12.1.4 + - 17.2.1 + iso27001-2022: + - 8.31 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/e14de741-94b3-447c-8b07-eea947d82e61 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Role based authentication and authorization: + uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9 + risk: Everyone is able to get unauthorized access to information on systems + or to modify information unauthorized on systems. + measure: The usage of a (role based) access control helps to restrict system + access to authorized users. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004 + name: Directory Service + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/ + - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e + name: Plugins + tags: [] + dependsOn: + - Defined deployment process + - Defined build process + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.4.1 + iso27001-2022: + - 8.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple access control for systems: + uuid: 82e499d1-f463-4a4b-be90-68812a874af6 + risk: Attackers a gaining access to internal systems and application interfaces + measure: All internal systems are using simple authentication + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 1 + dependsOn: + - Defined deployment process + implementation: + - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9 + name: HTTP-Basic Authentication + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/ + - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e + name: VPN + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.4.1 + iso27001-2022: + - 8.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/82e499d1-f463-4a4b-be90-68812a874af6 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of a chaos monkey: + uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe + risk: Due to manual changes on a system, they are not replaceable anymore. In + case of a crash it might happen that a planned redundant system is unavailable. + In addition, it is hard to replay manual changes. + measure: A randomized periodically shutdown of systems makes sure, that nobody + will perform manual changes to a system. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 5 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 17.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of an security account: + uuid: 746025a6-dbfb-4087-a000-e46acab64ee1 + risk: Having security auditing in the same account as infrastructure and applications + at the cloud provide might cause evil administrators (or threat actors taking + over an account of an administrator) to alter evidence like audit logs. + measure: Usage of a separate account dedicated for security activities. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 2 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/746025a6-dbfb-4087-a000-e46acab64ee1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of edge encryption at transit: + uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629 + risk: Evil actors might be able to perform a man in the middle attack and sniff + confidential information (e.g. authentication factors like passwords). + measure: |- + By using encryption at the edge of traffic in transit, it is impossible + or at least harder to sniff credentials or information being outside of the organization. + + Using standard secure protocols like HTTPS is recommended. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of encryption at rest: + uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + risk: Evil actors might be able to access data and read information, e.g. from + physical hard disks. + measure: By using encryption at rest, it is impossible or at least harder to + to read information. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of internal encryption at transit: + uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93 + risk: Evil actors within the organization of traffic in transit might be able + to perform a man in the middle attack and sniff confidential information (e.g. + authentication factors like passwords) + measure: By using encryption internally, e.g. inside of a cluster, it is impossible + or at least harder to sniff credentials. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 3 + usefulness: 4 + level: 3 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of security by default for components: + uuid: 11b3848e-e931-4146-a35d-35409ada24ee + risk: Components (images, libraries, applications) are not hardened. + measure: Hardening of components is important, specially for image on which + other teams base on. Hardening should be performed on the operation system + and on the services inside (e.g. Nginx or a Java-Application). + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: d7fb1f5a-05e3-49f7-ae67-00bfb8f8410c + name: 'For applications: Check default encoding' + tags: [] + - uuid: 7e744f11-976e-46b6-88d4-f39b2965dfaf + name: managing secrets + tags: [] + url: https://d3fend.mitre.org/technique/d3f:CredentialHardening/ + - uuid: 520517ef-2911-4efc-8e1b-dcc9389aca45 + name: crypto + tags: [] + - uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339 + name: authentication + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/ + dependsOn: + - Defined build process + references: + samm2: + - O-EM-1-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/11b3848e-e931-4146-a35d-35409ada24ee + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of test and production environments: + uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415 + risk: Security tests are not running regularly because test environments are + missing + measure: A test and a production like environment is used + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 4 + level: 2 + dependsOn: + - Defined deployment process + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.4 + - 17.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.31 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Virtual environments are limited: + uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca + risk: Denial of service (internally by an attacker or unintentionally by a bug) + on one service effects other services + measure: All virtual environments are using resource limits on hard disks, memory + and CPU + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + dependsOn: + - Applications are running in virtualized environments + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 12.1.3 + - 13.1.3 + - 17.2.1 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.6 + - 8.22 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF Advanced: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced + risk: The presence of sophisticated threats necessitates a robust defense strategy + where application inputs are meticulously scrutinized for security breaches, + including advanced persistent threats and zero-day vulnerabilities. + measure: An advanced WAF protection level includes rigorous input validation, + rejecting any parameters not explicitly required, and custom rule sets that + are dynamically updated in response to emerging threats. + description: | + The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 5 + usefulness: 4 + level: 5 + dependsOn: + - WAF medium + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF baseline: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b + risk: Vulnerable input, such as exploits, can infiltrate the application via + numerous entry points, posing a significant security threat. + measure: Implementing a web application firewall (WAF) is a critical security + control. At a baseline level, the objective is to finely balance the reduction + of false positives, maintaining user experience, against a potential increase + in the less noticeable false negatives. + description: | + Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 3 + usefulness: 3 + level: 3 + dependsOn: + - Context-aware output encoding + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF medium: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + risk: The threat from malicious inputs remains high, with exploits seeking to + exploit any vulnerabilities present at the various points of entry to the + application. + measure: A WAF deployed with a medium level of protection strengthens the security + posture by striking a more advanced balance between the detection of genuine + threats and the minimization of false alarms. + description: | + Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 4 + usefulness: 3 + level: 4 + dependsOn: + - WAF baseline + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false +Information Gathering: + Logging: + Centralized application logging: + uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04 + risk: Local stored logs can be unauthorized manipulated by attackers with system + access or might be corrupt after an incident. In addition, it is hard to perform + an correlation of logs. This leads attacks, which can be performed silently. + measure: A centralized logging system is used and applications logs (including + application exceptions) are shipped to it. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 3 + dependsOn: + - Alerting + implementation: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Centralized system logging: + uuid: 4eced38a-7904-4c45-adb0-50b663065540 + risk: Local stored system logs can be unauthorized manipulated by attackers + or might be corrupt after an incident. In addition, it is hard to perform + a aggregation of logs. + measure: By using centralized logging logs are protected against unauthorized + modification. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 1 + implementation: + - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 + name: rsyslog + url: https://www.rsyslog.com/ + tags: + - tool + - logging + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Correlation of security events: + uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5 + risk: Detection of security related events with hints on different systems/tools/metrics + is not possible. + measure: Events are correlated on one system. For example the correlation and + visualization of failed login attempts combined with successful login attempts. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 4 + usefulness: 3 + level: 5 + dependsOn: + - Visualized logging + - Alerting + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Logging of security events: + uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb + description: | + Implement logging of security relevant events. The following events tend to be security relevant: + - successful/failed login/logout + - creation, change, and deletion of users + - errors during input validation and output creation + - exceptions and errors with security in their name + - transactions of value (e.g., financial transactions, costly operations) + - :unicorn: (special things of your application) + measure: Security-relevant events like login/logout or creation, change, deletion + of users should be logged. + assessment: | + - Show which events are logged. + - Show a test for one event logging. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 2 + credits: | + [AppSecure-nrw](https://github.com/AppSecure-nrw/security-belts/blob/master/orange/logging-of-security-events.md) + implementation: + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 + name: fluentd + tags: + - tool + url: https://www.fluentd.org/ + - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 + name: bash + tags: + - tool + url: https://www.gnu.org/software/bash/ + - uuid: 5a5c7d99-41e8-454a-86ae-a638c9787d8c + name: OWASP Logging CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + tags: + - logging + - documentation + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.4.1 + iso27001-2022: + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb + risk: |- + * No track of security-relevant events makes it harder to analyze an incident. + * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + PII logging concept: + uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9 + risk: Personal identifiable information (PII) is logged and the privacy law + (e.g. General Data Protection Regulation) is not followed. + measure: A concept how to log PII is documented and applied. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 + name: rsyslog + url: https://www.rsyslog.com/ + tags: + - tool + - logging + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 + name: fluentd + tags: + - tool + url: https://www.fluentd.org/ + - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 + name: bash + tags: + - tool + url: https://www.gnu.org/software/bash/ + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + - 18.1.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + - 5.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Visualized logging: + uuid: 7c735089-6a83-419f-8b27-c1e676cedea1 + risk: System and application protocols are not visualized properly which leads + to no or very limited logging assessment. Specially developers might have + difficulty to read applications logs with unusually tools like the Linux tool + 'cat' + measure: Protocols are visualized in a simple to use real time monitoring system. + The GUI gives the ability to search for special attributes in the protocol. + difficultyOfImplementation: + knowledge: 1 + time: 3 + resources: 3 + usefulness: 4 + level: 2 + dependsOn: + - Centralized system logging + - Centralized application logging + implementation: + - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3 + name: ELK-Stack + tags: [] + url: https://www.elastic.co/elk-stack + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Monitoring: + Advanced app. metrics: + uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf + risk: People are not looking into tests results. Vulnerabilities not recolonized, + even they are detected by tools. + measure: All defects from the dimension Test- and Verification are instrumented. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Simple application metrics + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Advanced availability and stability metrics: + uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1 + risk: Trends and advanced attacks are not detected. + measure: Advanced metrics are gathered in relation to availability and stability. + For example unplanned downtime's per year. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Simple application metrics + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Alerting: + uuid: 8a442d8e-0eb1-4793-a513-571aef982edd + risk: Incidents are discovered after they happened. + measure: | + Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 2 + dependsOn: + - Visualized metrics + implementation: [] + references: + samm2: + - I-DM-A 3 + iso27001-2017: + - 16.1.2 + - 16.1.4 + - 12.1.4 + iso27001-2022: + - 6.8 + - 5.25 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Audit of system events: + uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8 + risk: System events (system calls) trends and attacks are not detected. + measure: Gathering of system calls. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Visualized metrics + implementation: + - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 + name: Falco + tags: + - falco + - systemcall + - monitoring + url: https://github.com/falcosecurity/falco + description: | + Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage and control metrics: + uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d + risk: The effectiveness of configuration, patch and vulnerability management + is unknown. + measure: "Usage of Coverage- and control-metrics to show the effectiveness of + the security program. Coverage is the degree in \n which a specific + security control for a specific target group is applied with all resources.\n + \ The control degree shows the actual application of security standards + and security-guidelines. Examples are gathering information on anti-virus, + anti-rootkits, patch management, server configuration and vulnerability management." + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Visualized metrics + implementation: + - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d + name: https://ht.transpare + tags: [] + url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD + description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf + references: + samm2: + - O-IM-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deactivation of unused metrics: + uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722 + risk: High resources are used while gathering unused metrics. + measure: Deactivation of unused metrics helps to free resources. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 3 + dependsOn: + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defense metrics: + uuid: e808028c-351c-42f1-bcd9-fba738d1fc55 + risk: IDS/IPS systems like packet- or application-firewalls detect and prevent + attacks. It is not known how many attacks has been detected and blocked. + measure: | + Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request. + Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Visualized metrics + - Filter outgoing traffic + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.4.1 + - 13.1.1 + iso27001-2022: + - 8.15 + - 8.2 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Grouping of metrics: + uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b + risk: The analysis of metrics takes long. + measure: Meaningful grouping of metrics helps to speed up analysis. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 2 + usefulness: 2 + level: 3 + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Metrics are combined with tests: + uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506 + risk: Changes might cause high load due to programming errors. + measure: Metrics during tests helps to identify programming errors. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 2 + usefulness: 5 + level: 5 + dependsOn: + - Grouping of metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Monitoring of costs: + uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e + risk: Not monitoring costs might lead to unexpected high resource consumption + and a high invoice. + measure: Implement cost budgets. Setting of an alert threshold and sending out + errors when it is reached. In the best case, a second threshold with a limit + is set so that the cost can not go higher. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple application metrics + - Simple system metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Screens with metric visualization: + uuid: 8746647c-638c-473f-8e17-82c068e4c311 + risk: Security related information is discovered too late during an incident. + measure: By having an internal accessible screen with a security related dashboards + helps to visualize incidents. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 5 + level: 4 + dependsOn: + - Grouping of metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple application metrics: + uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 + risk: Attacks on an application are not recognized. + measure: |- + Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: + - Authentication attempts (successful/failed logins) + - Transaction volumes and patterns (e.g. orders, payments) + - API call rates and response times + - User session metrics + - Resource utilization + + Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either: + - A legitimate event (unannounced marketing campaign, viral social media post) + - A security incident (automated bulk purchase bots, credential stuffing attack) + + By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c + name: Prometheus + tags: [] + url: https://prometheus.io/ + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.4.1 + iso27001-2022: + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple budget metrics: + uuid: f08a3219-6941-43ec-8762-4aff739f4664 + risk: Not getting notified about reaching the end of the budget (e.g. due to + a denial of service) creates unexpected costs. + measure: Cloud providers often provide insight into budgets. A threshold and + alarming for the budget is set. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple system metrics: + uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 + risk: Without simple metrics analysis of incidents are hard. In case an application + uses a lot of CPU from time to time, it is hard for a developer to find out + the source with Linux commands. + measure: Gathering of system metrics helps to identify incidents and specially + bottlenecks like in CPU usage, memory usage and hard disk usage. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + assessment: | + Are system metrics gathered? + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Targeted alerting: + uuid: d6f06ae8-401a-4f44-85df-1079247fa030 + risk: People are bored (ignorant) of incident alarm messages, as they are not + responsible to react. + measure: By the definition of target groups for incidents people are only getting + alarms for incidents they are in charge for. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 3 + dependsOn: + - Alerting + implementation: [] + references: + samm2: + - I-DM-A 3 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Visualized metrics: + uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + risk: Not visualized metrics lead to restricted usage of metrics. + measure: Metrics are visualized in real time in a user friendly way. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple application metrics + - Simple system metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test KPI: + Fix rate per repo/product: + uuid: cf0d600e-114d-4887-9059-d81c53805f0d + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of the number of vulnerabilities handled + per severity level for components such as applications, ensuring alignment + with SLAs. \nThe rate should be broken down by team, product, application, + repository, and/or service. This analysis should be conducted at least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/cf0d600e-114d-4887-9059-d81c53805f0d + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Generation of response statistics: + uuid: c922981b-65ed-40f3-a947-96fee9a0125f + risk: No or delayed reaction to findings leads to potential exploitation of + findings. + measure: Creation and response statistics (e.g. Mean Time to Resolution) of + findings. This is also referred to as _Mean Time to Resolve_. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + dependsOn: + - Usage of a vulnerability management system + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/c922981b-65ed-40f3-a947-96fee9a0125f + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client) + generates statistics from OWASP DefectDojo and places the results in a [Github + repository](https://github.com/pagel-pro/cluster-image-scanner-all-results). + teamsImplemented: + Default: false + B: false + C: false + Number of vulnerabilities/severity: + uuid: bc548cba-cb82-4f76-bd4b-325d9d256279 + risk: Failing to convey the number of vulnerabilities by severity might undermine + the effectiveness of product teams. This might lead to ignorance of findings. + measure: Measurement and communication of vulnerabilities per severity for components + like applications. At least quarterly. + description: |- + Communication can be performed in a simple way, e.g. text based during the build process. + This activity depends on at least one security testing implementation. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: [] + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/bc548cba-cb82-4f76-bd4b-325d9d256279 + tags: + - vulnerability-mgmt + - metrics + - vmm-measurement + teamsImplemented: + Default: false + B: false + C: false + Number of vulnerabilities/severity/layer: + uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad + risk: Failing to convey the number of vulnerabilities by severity and layer + (app/infra) might undermine the effectiveness of product teams. This might + lead to ignorance of findings. + measure: Measurement and communication of vulnerabilities per severity for components + like applications and split it depending on the layer (e.g. app/infra). At + least quarterly. + description: |- + Communication can be performed in a simple way, e.g. text based during the build process. + This activity depends on at least one security testing implementation. + Layers to consider (SCA): + - Cloud provider (if insights are possible) + - Runtimes, e.g. Kubernetes nodes + - Base images and container images + - Application + + Layers to consider SAST/DAST: + - Cloud provider + - Runtime, e.g. Kubernetes + - Base images and container images + - Application + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: [] + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad + tags: + - vulnerability-mgmt + - metrics + - vmm-measurement + teamsImplemented: + Default: false + B: false + C: false + Patching mean time to resolution via PR: + uuid: 86d490b9-d798-4a5b-a011-ab9688014c46 + risk: Without measuring Mean Time to Resolution (MTTR) related to patching, + it is challenging to identify delays in the patching process. Unaddressed + vulnerabilities can be exploited by attackers, leading to potential security + breaches and data loss. + measure: "Measurement and communication of patching Mean Time to Resolution + (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least + on a quarterly basis.\nThis includes the measurement of the existence of a + properly configured automated pull request (PR) tool (e.g., Dependabot or + Renovate) in a repository. \nIn addition, the measurement of the time from + opening an automated PR to merging it.\n\nAverage time to patch is visualized + per component/project/team." + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Automated PRs for patches + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/86d490b9-d798-4a5b-a011-ab9688014c46 + tags: + - patching + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Patching mean time to resolution via production: + uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + risk: Without measuring Mean Time to Resolution (MTTR) related to patching, + it is challenging to identify delays in the patching process. Unaddressed + vulnerabilities can be exploited by attackers, leading to potential security + breaches and data loss. + measure: |- + Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis. + Average time to patch is visualized per component/project/team. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Patching mean time to resolution via PR + - Automated PRs for patches + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + tags: + - patching + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + SLA per criticality: + uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of how many of the vulnerabilities handling + per severity for components like applications are aligned to SLAs. \nThis + is performed for the hole organization and doesn't need to be broken down + (yet) on team/product/application. \nAt least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false +Test and Verification: + Application tests: + High coverage of security related module and integration tests: + uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment in not important components. + measure: Implementation of security related tests via unit tests and integration + tests. Including the test of libraries, in case the are not tested already. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 3 + usefulness: 3 + level: 5 + implementation: [] + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security integration tests for important components: + uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment. + measure: Implementation of essential security related integration tests. For + example for authentication and authorization. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 2 + level: 3 + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security unit tests for important components: + uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 + risk: Vulnerabilities are rising due to code changes. + measure: Usage of unit tests to test important security related features like + authentication and authorization. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 2 + comments: | + The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked. + A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9. + implementation: + - uuid: cc2eec82-f3a7-4ae5-9ccb-3d75352b2e4d + name: JUnit + tags: + - unittest + url: https://junit.org/junit5/ + - uuid: fd56720a-ad4b-487c-b4c3-897a688672c4 + name: Karma + tags: [] + url: https://karma-runner.github.io + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Smoke Test: + uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a + risk: During a deployment an error might happen which leads to non-availability + of the system, a part of the system or a feature. + measure: Integration tests are performed against the production environment + after each deployment. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 4 + implementation: [] + dependsOn: + - Defined deployment process + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Consolidation: + Advanced visualization of defects: + uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876 + risk: Correlation of the vulnerabilities of different tools to have an overview + of the the overall security level per component/project/team is not given. + measure: Findings are visualized per component/project/team. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 1 + usefulness: 2 + level: 4 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Fix based on accessibility: + uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed + risk: Overwhelming volume of security findings from automated testing tools. + This might lead to ignorance of findings. + measure: Implement a simple risk-based prioritization framework for vulnerability + remediation based on accessibility of the applications. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + meta: + implementationGuide: |- + Develop a scoring system for asset accessibility, considering factors like: + - Whether the asset is internet-facing (highly recommended) + - The number of network hops required to reach the asset (recommended) + - Authentication requirements for access (recommended) + dependsOn: + - Treatment of defects with severity high or higher + - Inventory of production components + implementation: ~ + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Integration in development process: + uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d + risk: "Not integrating vulnerability handling into the development process may + result in product teams ignoring findings. \n\nSecurity joke: We will gain + 100% false negatives." + measure: Integration of findings into the development process. E.g. adding findings + to the backlog of products teams. + description: |- + Validating Findings by Security Engineers Pros: + - Ensures accuracy and relevance of findings before they reach product teams + - Reduces false positives, saving development teams time and effort + - Might provides a layer of expertise in assessing the severity and impact of vulnerabilities + + Validating Findings by Security Engineers Cons: + - Requires a sufficient number of skilled security engineers, which might be challenging for some organizations + - May slow down the process if security engineers are overloaded with validation tasks + - For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application + + Pushing Findings Directly to Product Teams Pros: + - Accelerates the process by immediately notifying product teams of potential vulnerabilities + - Empowers product teams to take swift action in addressing security issues + Pushing Findings Directly to Product Teams Cons: + - Increases the workload on product teams, potentially leading to frustration + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 889444eb-de68-4367-bada-a66f8cb9733a + name: Jira + tags: + - documentation + - issue + - proprietary + url: https://jira.atlassian.com/ + description: Jira is a bug tracking and project management tool developed + by Atlassian, used by development teams for tracking issues, planning sprints, + and managing software releases. It offers features for creating and managing + tasks, assigning them to team members, and monitoring progress through customizable + workflows and dashboards. + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d + tags: + - vulnerability-mgmt + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Integration of vulnerability issues into the development process: + uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e + risk: To read console output of the build server to search for vulnerabilities + might be difficult. Also, to check a vulnerability management system might + not be a daily task for a developer. + measure: Vulnerabilities are tracked in the teams issue system (e.g. jira). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 2 + level: 3 + implementation: + - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a + name: SAST + tags: [] + description: 'At SAST (Static Application Security Testing): Server-side / + client-side teams can easily be recorded. With microservice architecture + individual microservices can be used usually Teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/ + - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609 + name: DAST + tags: [] + description: 'At DAST (Dynamic Application Security Testing): vulnerabilities + are classified and can be assigned to server-side and client-side teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/ + references: + samm2: + - I-DM-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.4 + - 16.1.5 + - 16.1.6 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.25 + - 5.26 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Reproducible defect tickets: + uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39 + risk: Vulnerability descriptions are hard to understand by staff from operations + and development. + measure: Vulnerabilities include the test procedure to give the staff from operations + and development the ability to reproduce vulnerabilities. This enhances the + understanding of vulnerabilities and therefore the fix have a higher quality. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple false positive treatment: + uuid: c1acc8af-312e-4503-a817-a26220c993a0 + risk: As false positive occur during each test, all vulnerabilities might be + ignored. Specially, if tests are automated an run daily. + measure: |- + Findings from security tests must be triaged and outcomes persisted/documented to: + - Prevent re-analysis of known issues in subsequent test runs + - Track accepted risks vs false positives + - Enable consistent decision-making across teams + + At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. + + Samples for false positive handling: + - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) + - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) + - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 1 + implementation: + - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c + name: OWASP Defect Dojo + tags: [] + url: https://github.com/DefectDojo/django-DefectDojo + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + references: + samm2: + - I-DM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.6 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple visualization of defects: + uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83 + risk: The security level of a component is not visible. Therefore, the motivation + to enhance the security is not give. + measure: Vulnerabilities are simple visualized. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81 + name: LogParser Jenkins Plugins + tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + references: + samm2: + - I-DM-1-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Treatment of all defects: + uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d + risk: Vulnerabilities with severity low are not visible. + measure: All vulnerabilities are added to the quality gate. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 1 + usefulness: 2 + level: 5 + implementation: [] + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d + tags: + - vuln-action + - defect-management + comments: "" + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects per protection requirement: + uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969 + risk: "Not defining the protection requirement of applications can lead to wrong + prioritization, delayed remediation of \ncritical security issues, increasing + the risk of exploitation and potential damage to the organization." + measure: "Defining the protection requirement and the corresponding handling + of vulnerabilities per severity for components like applications are aligned + to SLAs. \n This is performed for the hole organization and doesn't need to + be broken down (yet) on team/product/application. \n At least quarterly." + description: |- + The protection requirements for an application should consider: + - Data criticality + - Application accessibility (internal vs. external) + - Regulatory compliance + - Other relevant factors + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969 + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects with severity high or higher: + uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + risk: Vulnerabilities with severity high or higher are not visible. + measure: Vulnerabilities with severity high or higher are added to the quality + gate. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + comments: False positive analysis, specially for static analysis, is time consuming. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 + implementation: [] + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects with severity middle: + uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594 + risk: Vulnerabilities with severity middle are not visible. + measure: Vulnerabilities with severity middle are added to the quality gate. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + comments: False positive analysis, specially for static analysis, is time consuming. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594 + implementation: [] + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Usage of a vulnerability management system: + uuid: 85ba5623-84be-4219-8892-808837be582d + risk: Maintenance of false positives in each tool enforces a high workload. + In addition a correlation of the same finding from different tools is not + possible. + measure: Aggregation of vulnerabilities in one tool reduce the workload to handle + them, e.g. mark as false positives. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 2 + dependsOn: + - Exploit likelihood estimation + - Each team has a security champion + - Office Hours + level: 3 + description: "For known vulnerabilities a processes to estimate the exploit + ability of a vulnerability is recommended.\n\nTo implement a security culture + including training, office hours and security champions can help integrating + \nsecurity scanning at scale. Such activities help to understand why a vulnerability + is potentially critical and needs handling." + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3 + name: SecObserve + tags: + - vulnerability management system + url: https://github.com/MaibornWolff/SecObserve + description: | + The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. + references: + samm2: + - I-DM-1-B + iso27001-2017: + - 12.6.1 + - 16.1.3 + - 16.1.4 + - 16.1.5 + - 16.1.6 + iso27001-2022: + - 8.8 + - 6.8 + - 5.25 + - 5.26 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dynamic depth for applications: + Coverage analysis: + uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + risk: Parts of the service are not still covered by tests. + measure: Check that there are no missing paths in the application with coverage-tools. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 3 + usefulness: 4 + level: 5 + implementation: + - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366 + name: OWASP Code Pulse + tags: [] + url: https://www.owasp.org/index.php/OWASP_Code_Pulse + - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32 + name: Coverage.py + tags: + - testing + - coverage + url: https://github.com/nedbat/coveragepy + description: | + Code coverage measurement for Python + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + - part of periodic review, PDCA + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of client side dynamic components: + uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e + risk: Parts of the service are not covered during the scan, because JavaScript + is not getting executed. Therefore, the coverage of client-side dynamic components + is limited, leading to potential security risks and undetected vulnerabilities. + measure: Usage of a spider which executes dynamic content like JavaScript, e.g. + via Selenium. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 4 + level: 2 + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e + implementation: + - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb + name: Ajax Spider + tags: [] + url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of hidden endpoints: + uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8 + risk: Hidden endpoints of the service are not getting tracked. + measure: Hidden endpoints are getting detected and included in the vulnerability + scan. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 5 + level: 3 + implementation: + - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b + name: cURL + tags: [] + url: https://curl.se/ + - uuid: 7ce77258-bf65-4e7a-9627-daf765ee1d77 + name: OpenAPI Specifications + tags: [] + url: https://spec.openapis.org/ + - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 + name: OWASP Zap + tags: + - vulnerability + - scanner + url: https://github.com/zaproxy/zaproxy + description: | + The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... + - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b + name: Schemathesis + tags: + - testing + - api + - documentation + url: https://github.com/schemathesis/schemathesis + description: | + Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of more input vectors: + uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc + risk: Parts of the service are not covered. For example specially formatted + or coded parameters are not getting detected as parameter (e.g. parameters + in REST-like URLs, parameters in JSON-Format or base64-coded parameters). + measure: Special parameter and special encodings are defined, so that they get + fuzzed by the used vulnerability scanners. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 1 + usefulness: 4 + level: 3 + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc + implementation: + - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b + name: Schemathesis + tags: + - testing + - api + - documentation + url: https://github.com/schemathesis/schemathesis + description: | + Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of sequential operations: + uuid: 845f06ec-148c-4c67-9755-7041911dcca5 + risk: Sequential operations like workflows (e.g. login -> put products in the + basket + measure: Sequential operations are defined and checked by the vulnerability + scanner in the defined order. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 5 + level: 3 + implementation: + - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b + name: cURL + tags: [] + url: https://curl.se/ + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.8 + - 14.2.3 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/845f06ec-148c-4c67-9755-7041911dcca5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of service to service communication: + uuid: 22aab0ef-76ce-4b8c-979c-3699784330db + risk: Service to service communication is not covered. + measure: Service to service communication is dumped and checked. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 2 + usefulness: 3 + level: 5 + dependsOn: + - Simple Scan + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db + implementation: + - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2 + name: Citrus Fresh Integration Testing + tags: + - framework + - testing + url: https://citrusframework.org/ + description: Integration Test framework with focus on messaging applications + and Microservices. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple Scan: + uuid: 07796811-37f9-467c-9ff2-48f346e77ff3 + risk: Deficient security tests are performed. Simple vulnerabilities are not + detected and missing security configurations (e.g. headers) are not set. Fast + feedback is not given. + measure: A simple scan is performed to get a security baseline. In case the + test is done in under 10 minutes, it should be part of the build and deployment + process. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 1 + level: 2 + dependsOn: + - Defined build process + implementation: + - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 + name: OWASP Zap + tags: + - vulnerability + - scanner + url: https://github.com/zaproxy/zaproxy + description: | + The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... + - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63 + name: Arachni + url: https://github.com/Arachni/arachni + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of different roles: + uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750 + risk: Parts of the service are not covered during the scan, because a login + is not performed. + measure: Integration of authentication with all roles used in the service. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 2 + level: 2 + dependsOn: + - Simple Scan + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750 + implementation: + - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3 + name: Zest + url: https://www.zaproxy.org/docs/desktop/addons/zest/ + tags: + - zap + description: | + Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. + assessment: For REST APIs, multiple OAuth2 scopes are used. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of multiple scanners: + uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + risk: Each vulnerability scanner has different opportunities. By using just + one scanner, some vulnerabilities might not be found. + measure: Usage of multiple spiders and scanner enhance the coverage and the + vulnerabilities. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 1 + level: 4 + dependsOn: + - Usage of different roles + implementation: + - uuid: f220b299-0917-4750-96c5-d81cd402b4df + name: OWASP secureCodeBox + tags: + - vulnerability + - scanner-orchestration + url: https://github.com/secureCodeBox/secureCodeBox + description: | + secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dynamic depth for infrastructure: + Load tests: + uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd + risk: As it is unknown how many requests the systems and applications can serve, + due to an unexpected load the availability is disturbed. + measure: Load test against the production system or a production near system + is performed. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 5 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.6 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for exposed services: + uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + risk: Standard network segmentation and firewalling has not been performed, + leading to world open cluster management ports. + measure: With the help of tools the network configuration of unintentional exposed + cluster(s) are tested. To identify clusters, all subdomains might need to + be identified with a tool like OWASP Amass to perform port scans based o the + result. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + dependsOn: + - Isolated networks for virtual environments + usefulness: 2 + level: 2 + implementation: + - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882 + name: nmap + tags: [] + url: https://nmap.org/ + - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a + name: OWASP Amass + tags: [] + url: https://github.com/OWASP/Amass + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for unauthorized installation: + uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a + risk: Unapproved components are used. + measure: Components must be whitelisted. Regular scans on the docker infrastructure + (e.g. cluster) need to be performed, to verify that only standardized base + images are used. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 349cf64c-abea-40bb-bd07-9c98ce648fa4 + name: 'Example: All docker images used by teams need to be based on standard + images.' + tags: [] + comments: By preventing teams from trying out new components, innovation might + be hampered + references: + samm2: [] + iso27001-2017: + - 12.5.1 + - 12.6.1 + iso27001-2022: + - 8.19 + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a + dependsOn: + - Evaluation of the trust of used components + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for unused Resources: + uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4 + risk: Unused resources, specially secrets, might be still valid, but are exposing + information. As an attacker, I compromise a system, gather credentials and + try to use them. + measure: Test for unused resources helps to identify unused resources. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 5 + implementation: + - uuid: 8fea20ad-e332-4aa8-b1f1-aa9deb635dc1 + name: K8sPurger + tags: + - vulnerability + - scanner + - dast + - infrastructure + url: https://github.com/yogeshkk/K8sPurger + description: | + Hunt Unused Resources In Kubernetes. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test network segmentation: + uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01 + risk: Wrong or no network segmentation of pods makes it easier for an attacker + to access a database and extract or modify data. + measure: Cluster internal test needs to be performed. Integration of fine granulated + network segmentation (also between pods in the same namespace). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c + name: netassert + tags: [] + url: https://github.com/controlplaneio/netassert + dependsOn: + - Isolated networks for virtual environments + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of the configuration of cloud environments: + uuid: 7bb70764-9392-4462-935d-e55b2e148199 + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools the configuration of virtual environments are + tested. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: 893d9f37-2142-4490-996c-e43b55064d3d + name: kubescape + url: https://github.com/armosec/kubescape + tags: + - kubernetes + - vulnerability + - misconfiguration + description: _Testing if Kubernetes is deployed securely as defined in Kubernetes + Hardening Guidance by to NSA and CISA_ + - uuid: 2af7204c-a25c-4625-9775-889978386407 + name: kube-hunter + tags: [] + url: https://github.com/aquasecurity/kube-hunter + - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f + name: openVAS + tags: [] + url: https://www.openvas.org/ + references: + samm2: [] + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Weak password test: + uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f + risk: Weak passwords in components like applications or systems, specially for + privileged accounts, lead to take over of that account. + measure: Automatic brute force attacks are performed. Specially the usage of + standard accounts like 'admin' and employee user-ids is recommended. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 1 + level: 3 + implementation: + - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce + name: HTC Hydra + tags: + - password + url: https://www.htc-cs.com/en/products/htc-hydra/ + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 9.4.3 + iso27001-2022: + - 5.17 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static depth for applications: + API design validation: + uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99 + risk: Creation of insecure or non-compliant API. + measure: | + Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP + and validate the specification using specific tools. + Checks should be integrated in IDEs and CI/CD pipelines. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 261f243e-f89c-4169-b076-b22a03ec00be + name: Spectral + tags: + - linting + - api + - documentation + url: https://github.com/stoplightio/spectral + description: | + Spectral is a flexible JSON/YAML linter built with extensibility in mind. + It uses JSON/YAML path rules to describe the problems you want to find. + - uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f + name: API OAS Checker + tags: + - linting + - api + - documentation + url: https://github.com/italia/api-oas-checker + description: | + A tool to check OpenAPI specifications using a comprehensive ruleset based + on API best practices. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.25 + - 8.27 + - 8.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 + dependsOn: + - Inventory of production components + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dead code elimination: + uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d + risk: Dead code increases the attack surface (use of hard coded credentials + and variables, sensitive information) + measure: Collection of unused code and then manual removal of unused code. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Exclusion of source code duplicates: + uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + risk: Duplicates in source code might influence the stability of the application. + measure: Automatic Detection and manual removal of duplicates in source code. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Exploit likelihood estimation: + uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + risk: Without proper prioritization, organizations may waste time and effort + on low-risk vulnerabilities while neglecting critical ones. + measure: Estimate the likelihood of exploitation by using data (CISA KEV) from + the past or prediction models (EPSS). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Software Composition Analysis (server side) + implementation: + - uuid: aa507341-9531-42cd-95cf-d7b51af47086 + name: Known Exploited Vulnerabilities + tags: + - vulnerability + url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog + description: A catalog of vulnerabilities that have been exploited. + - uuid: e39afc58-8195-4600-92c6-11922e3a141b + name: Exploit Prediction Scoring System + tags: + - vulnerability + url: https://www.first.org/epss/ + description: Estimates the likelihood that a software vulnerability will be + exploited. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Local development security checks performed: + uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b + risk: Creating and developing code contains code smells and quality issues. + measure: | + Integration of quality and linting plugins with interactive development environment (IDEs). + Implement pre-commit checks to prevent secrets & other security issues being commit to source code. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + - uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82 + name: DevSecOps control Pre-commit + url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop + tags: + - pre-commit + - uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb + name: Building your DevSecOps pipeline 5 essential activities + url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/ + tags: + - pre-commit + references: + samm2: + - V-ST-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis (client side): + uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86 + risk: Client side components might have vulnerabilities. + measure: Tests for known vulnerabilities in components via Software Composition + Analysis of the frontend are performed. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 3 + dependsOn: + - Defined build process + - Inventory of production components + - Exploit likelihood estimation + implementation: + - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 + name: retire.js + tags: [] + url: https://github.com/RetireJS/retire.js/ + - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 + name: npm audit + tags: [] + url: https://docs.npmjs.com/cli/audit + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 + name: Dependabot + tags: + - dependency + - dependency-management + - scm + url: https://github.com/dependabot/dependabot-core + description: | + Dependabot creates pull requests to keep your dependencies secure and up-to-date. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis (server side): + uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe + description: Use a tool like trivy and concentrate on application related vulnerabilities. + At this stage, ignore vulnerabilities in container base images used in the + service. + risk: Server side components might have vulnerabilities. + measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware) + are performed. + difficultyOfImplementation: + knowledge: 1 + time: 3 + resources: 1 + usefulness: 5 + level: 2 + dependsOn: + - Defined build process + - Inventory of production components + implementation: + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 + name: retire.js + tags: [] + url: https://github.com/RetireJS/retire.js/ + - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 + name: npm audit + tags: [] + url: https://docs.npmjs.com/cli/audit + - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 + name: Dependabot + tags: + - dependency + - dependency-management + - scm + url: https://github.com/dependabot/dependabot-core + description: | + Dependabot creates pull requests to keep your dependencies secure and up-to-date. + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy + tags: [] + url: https://github.com/aquasecurity/trivy + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe + tags: + - vmm-testing + teamsImplemented: + Default: false + B: false + C: false + Static analysis for all components/libraries: + uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + risk: Used components like libraries and legacy applications might have vulnerabilities + measure: Usage of a static analysis for all used components. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 2 + usefulness: 3 + level: 5 + dependsOn: + - Static analysis for important client side components + - Static analysis for important server side components + - Inventory of production components + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for all self written components: + uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84 + risk: Parts in the source code of the frontend or middleware have vulnerabilities. + measure: Usage of static analysis tools for all parts of the middleware and + frontend. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 4 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Static analysis for important client side components + - Static analysis for important server side components + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for important client side components: + uuid: e237176b-bec5-447d-a926-e37d6dd60e4b + risk: Important parts in the source code of the frontend have vulnerabilities. + measure: Usage of static analysis tools for important parts of the frontend + are used. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75 + name: '[bdd-mobile-security' + tags: [] + url: https://github.com/ing-bank/bdd-mobile-security-automation-framework + description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)' + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Defined build process + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for important server side components: + uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4 + risk: Important parts in the source code of the middleware have vulnerabilities. + measure: Usage of static analysis tools for important parts of the middleware + are used. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Defined build process + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Stylistic analysis: + uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + risk: Unclear or obfuscated code might have unexpected behavior. + measure: Analysis of compliance to style guides of the source code ensures that + source code formatting rules are met (e.g. indentation, loops, ...). + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe + name: How to enforce a consistent coding style in your projects + url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm + tags: + - ide + - linting + - uuid: aa5ded61-5380-4da6-9474-afc36a397682 + name: In-Depth Linting of Your TypeScript While Coding + url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding + tags: + - ide + - linting + - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f + name: Super-Linter + tags: + - linting + - scm + url: https://github.com/github/super-linter + description: | + Lint code bases to catch common errors and enforce code style + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for Patch Deployment Time: + uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: | + Test of the Patch Deployment Time. + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Automated PRs for patches + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + comments: "" + meta: + implementationGuide: Self implementation. This activity is not repeated in + the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure + as well. + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Test for Time to Patch: + uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: |- + Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + dependsOn: + - Automated PRs for patches + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f + comments: "" + meta: + implementationGuide: Usage of a version control platform API (e.g. github + API) can be used to fetch the information. Consider that `Measure libyears` + might be an alternative to this activity. + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Test libyear: + uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: Test `libyear`, which provides a good insight how good patch management + is. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 + name: libyear + tags: + - patching + - build + url: https://libyear.com/ + description: A simple measure of software dependency freshness. It is a single + number telling you how up-to-date your dependencies are. + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad + comments: "" + meta: + implementationGuide: | + `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached. + An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation). + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of multiple analyzers: + uuid: 297be001-8d94-41ee-ab29-207020d423c0 + risk: Each vulnerability analyzer has different opportunities. By using just + one analyzer, some vulnerabilities might not be found. + measure: Usage of multiple static tools to find more vulnerabilities. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 1 + level: 4 + dependsOn: + - Software Composition Analysis (server side) + - Software Composition Analysis (client side) + - Static analysis for all self written components + implementation: [] + references: + samm2: + - V-ST-3-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/297be001-8d94-41ee-ab29-207020d423c0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static depth for infrastructure: + Analyze logs: + uuid: b217c8bb-5d61-4b41-a675-1083993f83b1 + risk: Not aware of attacks happening. + measure: Check logs for keywords. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2 + name: SigmaHQ + tags: [] + url: https://github.com/SigmaHQ/sigma + references: + samm2: [] + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Correlate known vulnerabilities in infrastructure with new image versions: + uuid: 7de0ae33-6538-45cd-8222-a1475647ba58 + risk: TODO. + measure: TODO + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 4 + usefulness: 1 + level: 4 + dependsOn: + - Usage of a maximum lifetime for images + implementation: + - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc + name: Anchore.io + tags: [] + url: https://anchore.com/ + - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 + name: Clair + tags: [] + url: https://github.com/quay/clair + - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 + name: OpenSCAP + tags: [] + url: https://www.open-scap.org/ + - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 + name: Vuls + tags: [] + url: https://github.com/future-architect/vuls + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + iso27001-2022: + - 8.8 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis: + uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad + risk: Known vulnerabilities in infrastructure components like container images + might get exploited. + measure: Check for known vulnerabilities + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 4 + level: 4 + description: Subscribing to Github projects and reading release notes might + help. Software Composition Analysis for infrastructure might help, but is + often too fine-granular. + implementation: + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy + tags: [] + url: https://github.com/aquasecurity/trivy + - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 + name: Registries like quay + tags: [] + description: Registries like quay, dockerhub provide (commercial) offerings, + often not suitable for distroless images + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test cluster deployment resources: + uuid: 621fb6a5-5c0a-4408-826a-068868bb031b + risk: The deployment configuration (e.g. kubernetes deployment resources) might + contain unsecured configurations. + measure: Test the deployment configuration for virtualized environments for + unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 1e58f8d2-61e2-45bb-a17c-51516d0cc9ba + name: kubesec + tags: [] + url: https://kubesec.io + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for image lifetime: + uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b + risk: Old container images in production indicate that patch management is not + performed and therefore vulnerabilities might exists. + measure: Check the image age of containers in production. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 2 + level: 2 + implementation: + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for malware: + uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d + risk: Third party might include malware. Ether due to the maintainer (e.g. + typo squatting of an image name and using the wrong image) or by an attacker + on behalf of the maintainer with stolen credentials. + measure: Check for malware in components (e.g. container images, VM baseline + images, libraries). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.2.1 + iso27001-2022: + - 8.7 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for new image version: + uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + risk: When a new version of an image is available, it might fix security vulnerabilities. + measure: Check for new images of containers in production. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 2 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + - 12.2.1 + iso27001-2022: + - 8.8 + - 8.7 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for stored secrets: + uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c + risk: Stored secrets in git history, in container images or directly in code + shouldn't exists because they might be exposed to unauthorized parties. + measure: Test for secrets in code, container images and history + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog + tags: [] + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries + tags: [] + url: https://github.com/nccgroup/go-pillage-registries + references: + samm2: + - V-ST-1-A + iso27001-2017: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 + iso27001-2022: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of infrastructure components for known vulnerabilities: + uuid: 13367d8f-e37f-4197-a610-9ffca4fde261 + risk: Infrastructure components might have vulnerabilities. + measure: Test for known vulnerabilities in infrastructure components. Often, + the only way to respond to known vulnerabilities in operating system packages + is to accept the risk and wait for a patch. As the patch needs to be applied + fast when it is available, this activity depends on 'Usage of a maximum life + for images'. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 2 + usefulness: 1 + level: 4 + dependsOn: + - Usage of a maximum lifetime for images + implementation: + - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc + name: Anchore.io + tags: [] + url: https://anchore.com/ + - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 + name: Clair + tags: [] + url: https://github.com/quay/clair + - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 + name: OpenSCAP + tags: [] + url: https://www.open-scap.org/ + - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 + name: Vuls + tags: [] + url: https://github.com/future-architect/vuls + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + iso27001-2022: + - 8.8 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of virtualized environments: + uuid: 58825d22-1ce6-4748-af81-0ec9956e4129 + risk: Virtualized environments (e.g. via Container Images) might contains + unsecure configurations. + measure: Test virtualized environments for unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5 + name: Dive to inspect a container images + tags: [] + url: https://github.com/wagoodman/dive + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test the cloud configuration: + uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools, the configuration of virtual environments are + tested. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055 + name: kube-bench + tags: [] + url: https://github.com/aquasecurity/kube-bench + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test the definition of virtualized environments: + uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e + risk: The definition of virtualized environments (e.g. via Dockerfile) + might contain unsecure configurations. + measure: Test the definition of virtualized environments for unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + meta: + implementationGuide: For containier (images), test that the images are following + best practices like distroless or non-root. + implementation: + - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005 + name: Dockerfile with hadolint + tags: [] + url: https://github.com/hadolint/hadolint + - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b + name: Deployment with kube-score + tags: [] + url: https://github.com/zegl/kube-score + - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30 + name: dockerfilelint + tags: + - sast + - docker + - dockerfile + url: https://github.com/replicatedhq/dockerfilelint + description: dockerfilelint is an node module that analyzes a Dockerfile and + looks for common traps, mistakes and helps enforce best practices. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + - 14.2.1 + iso27001-2022: + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test-Intensity: + Creation and application of a testing concept: + uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe + risk: Scans might use a too small or too high test intensity. + measure: A testing concept considering the amount of time per scan/intensity + is created and applied. A dynamic analysis needs more time than a static analysis. + The dynamic scan, depending on the test intensity might be performed on every + commit, every night, every week or once in a month. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.2 + - 14.2.3 + - 14.2.1 + - 14.2.5 + - 12.6.1 + iso27001-2022: + - 8.25 + - 8.32 + - 8.27 + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deactivating of unneeded tests: + uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 + risk: As tools cover a wide range of different vulnerability tests, they might + not match the used components. Therefore, they need more time and resources + as they need and the feedback loops takes too much time. + measure: Unneeded tests are deactivated. For example in case the service is + using a Mongo database and no mysql database, the dynamic scan doesn't need + to test for sql injections. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 1 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Default settings for intensity: + uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + risk: Time pressure and ignorance might lead to false predictions for the test + intensity. + measure: The intensity of the used tools are not modified to save time. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 1 + implementation: [] + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + High test intensity: + uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10 + risk: A too small intensity or a too high confidence might lead to not visible + vulnerabilities. + measure: A deep scan with high test intensity and a low confidence threshold + is performed. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular automated tests: + uuid: 598897a2-358e-441f-984c-e12ec4f6110a + risk: After pushing source code to the version control system, any delay in + receiving feedback on defects makes them harder for the developer to remediate. + measure: On each push and/or at given intervals automatic security tests are + performed. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 2 + implementation: [] + references: + samm2: + - I-SB-3-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + - 14.2.9 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false +... diff --git a/src/assets/YAML/default/teams.yaml b/src/assets/YAML/default/teams.yaml new file mode 100644 index 000000000..8bbaf32bb --- /dev/null +++ b/src/assets/YAML/default/teams.yaml @@ -0,0 +1,28 @@ +--- +# +# Teams +# +# This file defines the teams and what groups they belong to. +# +# Either edit this file, or you can add your own file +# and update the reference in `meta.yaml`. +# +teams: + - Team A + - Team B + - Team C + - Team D + +teamGroups: + Customer: + - Team A + - Team B + Internal: + - Team C + - Team D + Cloud: + - Team A + - Team D + On-premise: + - Team B + - Team C diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml new file mode 100644 index 000000000..5f0ac8637 --- /dev/null +++ b/src/assets/YAML/generated/generated.yaml @@ -0,0 +1,8597 @@ +--- +#meta: + #source: https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/refs/heads/main/src/assets/YAML/generated/generated.yaml + #version: 1.15.2 + +Build and Deployment: + Build: + Building and testing of artifacts in virtual environments: + uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 + description: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + risk: |- + While building and testing artifacts, third party systems, application frameworks + and 3rd party libraries are used. These might be malicious as a result of + vulnerable libraries or because they are altered during the delivery phase. + measure: Each step during within the build and testing phase is performed in + a separate virtual environments, which is destroyed afterward. + meta: + implementationGuide: Depending on your environment, usage of virtual machines + or container technology is a good way. After the build, the filesystem should + not be used again in other builds. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 2 + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 + name: Container technologies and orchestration like Docker, Kubernetes + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ + references: + samm2: + - I-SB-2-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined build process: + uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b + description: "A *build process* include more than just compiling your source + code. \nIt also includes steps such as managing (third party) dependencies, + \nenvironment configuration, running the unit tests, etc. \n\nA *defined build + process* has automated these steps to ensure consistency.\n\nThis can be done + with a Jenkinsfile, Maven, or similar tools.\n" + risk: Performing builds without a defined process is error prone; for example, + as a result of incorrect security related configuration. + measure: A well defined build process lowers the possibility of errors during + the build process. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 2 + usefulness: 4 + level: 1 + assessment: | + - Show your build pipeline and an exemplary job (build + test). + - Show that every team member has access. + - Show that failed jobs are fixed. + + Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 + name: Container technologies and orchestration like Docker, Kubernetes + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 12.1.1 + - 14.2.2 + iso27001-2022: + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Pinning of artifacts: + uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + risk: Unauthorized manipulation of artifacts might be difficult to spot. For + example, this may result in using images with malicious code. Also, intended + major changes, which are automatically used in an image used might break the + functionality. + measure: Pinning of artifacts ensure that changes are performed only when intended. + comment: The usage of pinning requires a good processes for patching. Therefore, + choose this activity wisely. + meta: + implementationGuide: Pinning artifacts in Dockerfile refers to the practice + of using specific, immutable versions of base images and dependencies in + your build process. Instead of using the latest tag for your base image, + select a specific version or digest. For example, replace FROM node:latest, + to FROM node@sha256:abcdef12. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 9368abfb-cf37-477a-9091-a804d2de9148 + name: Signing of containers + tags: + - signing + - container + - build + url: https://www.aquasec.com/cloud-native-academy/supply-chain-security/container-image-signing/ + description: Container technology automatically creates a hash for images, + which can be used. + - uuid: 638b3691-c9a5-45fa-9ba8-e40aeea32766 + name: Immutable images + tags: + - deployment + - container + - build + url: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification + description: Immutable images are an other way, e.g. by using a registry, + which doesn't allow overriding of images. + dependsOn: + - Defined build process + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + SBOM of components: + uuid: 2858ac12-0179-40d9-9acf-1b839c030473 + description: |- + SBOM (Software Bill of Materials) is a document that lists all components, libraries, + and dependencies used in a software application or container image. Creating an SBOM + during the build process can help ensure transparency, security, and license compliance + for your application. + risk: In case a vulnerability of severity high or critical exists, it needs + to be known where an artifacts with that vulnerability is deployed with which + dependencies. + measure: Creation of an SBOM of components (e.g. application and container image + content) during build. + dependsOn: + - Defined build process + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Signing of artifacts: + uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222 + risk: Execution or usage of malicious code or data e.g. via executables, libraries + or container images. + measure: Digitally signing artifacts for all steps during the build and especially + docker images, helps to ensure their integrity and authenticity. + description: "To perform a push to a GitHub repository, you must be authenticated. + It's important to note that GitHub does not verify if the authenticated user's + email address matches the one in the commit.\nTo clearly identify the author + of a commit for reviewers, commit signing is recommended.\n\nGitHub actions + such as [semantic-release-action](https://github.com/cycjimmy/semantic-release-action) + do not automatically sign commits and may encounter issues as a result. \n\nTo + address this, you can refer to a working configuration example in the [workflow + folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml) + of DSOMM, which demonstrates how to use semantic release action in conjunction + with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action).\nFor + added security, consider using [Fine-grained personal access tokens](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) + provided by your organization for a specific repository. Store the Personal + Access Token (PAT) as a secret in your project." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 5 + implementation: + - uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6 + name: Docker Content Trust + tags: [] + url: https://docs.docker.com/engine/security/trust/ + - uuid: 6e9d8c14-ba3b-4698-afc3-365b4ab6fb1f + name: in-toto + tags: [] + url: https://in-toto.github.io/ + dependsOn: + - Defined build process + - Pinning of artifacts + references: + samm2: + - I-SB-1-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Signing of code: + uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 + risk: Execution or usage of malicious code or data e.g. via executables, libraries + or container images. + measure: Digitally signing commits helps to prevent unauthorized manipulation + of source code. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: d6d755d3-b9f1-4942-a084-e62b266541df + name: Signing of commits + tags: + - signing + url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work + description: Signing of commits in git + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + dependsOn: + - Defined build process + references: + samm2: + - I-SB-2-A + iso27001-2017: + - 14.2.6 + iso27001-2022: + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deployment: + Blue/Green Deployment: + uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97 + risk: A new artifact's version can have unknown defects. + measure: |- + Using a blue/green deployment strategy increases application availability + and reduces deployment risk by simplifying the rollback process if a deployment fails. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 5 + implementation: + - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2 + name: Blue/Green Deployments + tags: [] + url: https://martinfowler.com/bliki/BlueGreenDeployment.html + dependsOn: + - Smoke Test + references: + samm2: + - TODO + iso27001-2017: + - 17.2.1 + - 12.1.1 + - 12.1.2 + - 12.1.4 + - 12.5.1 + - 14.2.9 + iso27001-2022: + - 8.14 + - 5.37 + - 8.31 + - 8.32 + - 8.19 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined decommissioning process: + uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2 + description: |- + The decommissioning process in the context of Docker and Kubernetes involves + retiring Docker containers, images, and Kubernetes resources that are no longer + needed or have been replaced. This process must be carefully executed to avoid + impacting other services and applications. + risk: Unused applications are not maintained and may contain vulnerabilities. + Once exploited they can be used to attack other applications or to perform + lateral movements within the organization. + measure: A clear decommissioning process ensures the removal of unused applications + from the `Inventory of production components` and if implemented from `Inventory + of production artifacts`. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 2 + references: + samm2: + - O-OM-2-B + iso27001-2017: + - 11.2.7 + iso27001-2022: + - 7.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defined deployment process: + uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a + risk: Deployment of insecure or malfunctioning artifacts. + measure: Defining a deployment process ensures that there are established criteria + in terms of functionalities, security, compliance, and performance, and that + the artifacts meet them. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + dependsOn: + - Defined build process + implementation: + - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 + name: CI/CD tools + tags: + - ci-cd + url: https://martinfowler.com/articles/continuousIntegration.html + description: CI/CD tools such as jenkins, gitlab-ci or github-actions + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + references: + samm2: + - I-SD-1-A + iso27001-2017: + - 12.1.1 + - 14.2.2 + iso27001-2022: + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Environment depending configuration parameters (secrets): + uuid: df428c9d-efa0-4226-9f47-a15bb53f822b + risk: Unauthorized access to secrets stored in source code or in artifacts (e.g. + container images) through process listing (e.g. ps -ef). + measure: Set configuration parameters via environment variables stored using + specific platform functionalities or secrets management systems (e.g. Kubernetes + secrets or Hashicorp Vault). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: e3a2ffc8-313f-437e-9663-b24591568209 + name: Hashicorp Vault + tags: + - authentication + - authorization + - secrets + - infrastructure + url: https://github.com/hashicorp/vault + description: | + A tool for secrets management, encryption as a service, and privileged access management. + references: + samm2: + - I-SD-1-B + iso27001-2017: + - 9.4.5 + - 14.2.6 + iso27001-2022: + - 8.4 + - 8.31 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b + tags: + - secret + teamsImplemented: + Default: false + B: false + C: false + Evaluation of the trust of used components: + uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba + risk: Application and system components like Open Source libraries or images + can have implementation flaws or deployment flaws. Developers or operations + might start random images in the production cluster which have malicious code + or known vulnerabilities. + measure: Each components source is evaluated to be trusted. For example the + source, number of developers included, email configuration used by maintainers + to prevent maintainer account theft, typo-squatting, ... Create image assessment + criteria, perform an evaluation of images and create a whitelist of artifacts/container + images/virtual machine images. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 2a76300f-6b1f-4a51-b925-134c36b723af + name: Kubernetes Admission Controller can whitelist registries and/or whitelist + a signing key. + tags: [] + url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d + - uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a + name: packj + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://github.com/ossillate-inc/packj + description: | + Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI. + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Handover of confidential parameters: + uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a + risk: Parameters are often used to set credentials, for example by starting + containers or applications; these parameters can often be seen by any one + listing running processes on the target system. + measure: Encryption ensures confidentiality of credentials e.g. from unauthorized + access on the file system. Also, the usage of a credential management system + can help protect credentials. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: "" + dependsOn: + - Environment depending configuration parameters (secrets) + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 14.1.3 + - 13.1.3 + - 9.4.3 + - 9.4.1 + - 10.1.2 + iso27001-2022: + - 8.33 + - 8.22 + - 5.17 + - 8.3 + - 8.24 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a + tags: + - secret + teamsImplemented: + Default: false + B: false + C: false + Inventory of production artifacts: + uuid: 83057028-0b77-4d2e-8135-40969768ae88 + risk: In case a vulnerability of severity high or critical exists, it needs + to be known where an artifacts (e.g. container image) with that vulnerability + is deployed. + measure: A documented inventory of artifacts in production like container images + exists (gathered manually or automatically). + dependsOn: + - Defined deployment process + - Inventory of production components + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88 + tags: + - inventory + teamsImplemented: + Default: false + B: false + C: false + Inventory of production components: + uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f + risk: An organization is unaware of components like applications in production. + Not knowing existing applications in production leads to not assessing it. + measure: |- + A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production. + In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. + dependsOn: + - Defined deployment process + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 1 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f + tags: + - inventory + teamsImplemented: + Default: false + B: false + C: false + Inventory of production dependencies: + uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6 + risk: Delayed identification of components and their vulnerabilities in production. + In case a vulnerability is known by the organization, it needs to be known + where an artifacts with that vulnerability is deployed with which dependencies. + measure: A documented inventory of dependencies used in artifacts like container + images and containers exists. + dependsOn: + - Inventory of production artifacts + - SBOM of components + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 3 + implementation: + - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca + name: Backstage + tags: + - documentation + - inventory + url: https://github.com/backstage/backstage + description: | + Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c + name: Image Metadata Collector + tags: + - documentation + - inventory + - kubernetes + url: https://github.com/SDA-SE/image-metadata-collector/ + description: | + Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 8.1 + - 8.2 + iso27001-2022: + - 5.9 + - 5.12 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6 + comments: "" + tags: + - inventory + - sbom + teamsImplemented: + Default: false + B: false + C: false + Rolling update on deployment: + uuid: 85d52588-f542-4225-a338-20dc22a5508d + risk: While a deployment is performed, the application can not be reached. + measure: A deployment without downtime is performed*. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 3 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + - uuid: a71ce8f8-fd4a-4240-8b46-64a6cdb5dfdb + name: Webserver + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:WebServer/ + - uuid: ee2eb94b-7204-40d8-97da-43c7b1296e2e + name: rolling update + tags: [] + dependsOn: + - Defined deployment process + references: + samm2: + - I-SD-1-A + iso27001-2017: + - 12.5.1 + - 14.2.2 + - 17.2.1 + iso27001-2022: + - 8.19 + - 8.32 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Same artifact for environments: + uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f + risk: Building of an artifact for different environments means that an untested + artifact might reach the production environment. + measure: Building an artifact once and deploying it to different environments + means that only tested artifacts are allowed to reach the production environment + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 4 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - I-SD-2-A + iso27001-2017: + - 14.3.1 + - 14.2.8 + - 12.1.4 + iso27001-2022: + - 8.33 + - 8.29 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of feature toggles: + uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad + risk: Using environment variables to enable or disable features can lead to + a situation where a feature is accidentally enabled in the production environment. + measure: Usage of environment independent configuration parameter, called static + feature toggles, mitigates the risk of accidentally enabling insecure features + in production. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 2 + level: 4 + implementation: + - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba + name: Docker + url: https://github.com/moby/moby + tags: [] + - uuid: 83be6c60-6633-4c32-98de-7ae065c143c9 + name: Feature Toggles + tags: + - development + - architecture + url: https://martinfowler.com/articles/feature-toggles.html + description: | + Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson) + dependsOn: + - Same artifact for environments + references: + samm2: [] + iso27001-2017: + - 14.3.1 + - 14.2.8 + - 14.2.9 + - 12.1.4 + iso27001-2022: + - 8.33 + - 8.29 + - 8.31 + d3f: + - ApplicationConfigurationHardening + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Patch Management: + A patch policy is defined: + uuid: 99415139-6b50-441b-89e1-0aa59accd43d + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: A patch policy for all artifacts (e.g. in images) is defined. How often + is an image rebuilt? + difficultyOfImplementation: + knowledge: 3 + time: 1 + resources: 2 + usefulness: 4 + level: 1 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + - 12.5.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.19 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/99415139-6b50-441b-89e1-0aa59accd43d + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated PRs for patches: + uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 + risk: Components with known (or unknown) vulnerabilities might stay for long + and get exploited, even when a patch is available. + measure: |- + Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes + * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 1 + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971 + name: Jenkins + tags: [] + url: https://www.jenkins.io/ + - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 + name: terraform + tags: + - IaC + url: https://www.terraform.io/ + description: | + Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - "8.8" + - "8.27" + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/8ae0b92c-10e0-4602-ba22-7524d6aed488 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated deployment of automated PRs: + uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d + description: Automated merges of automated created PRs for outdated dependencies. + risk: Even if automated dependencies PRs are merged, they might not be deployed. + This results in vulnerabilities in running artifacts stay for too long and + might get exploited. + measure: | + After merging of an automated dependency PR, automated deployment is needed, + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + dependsOn: + - Automated merge of automated PRs + implementation: + - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 + name: terraform + tags: + - IaC + url: https://www.terraform.io/ + description: | + Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. + - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f + name: argoCD + tags: + - deployment + url: https://argo-cd.readthedocs.io/en/stable/ + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/08f27c26-2c6a-47fe-9458-5e88f188085d + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Automated merge of automated PRs: + uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb + description: Automated merges of automated created PRs for outdated dependencies. + risk: Vulnerabilities in running artifacts stay for too long and might get exploited. + measure: | + A good practice is to merge trusted dependencies (e.g. spring boot) after a grace period like one week. + Often, patches, fixes and minor updates are automatically merged. Be aware that automated merging requires a high + automated test coverage. Enforcement of merging of pull requests after a grace period. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + dependsOn: + - Automated PRs for patches + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Nightly build of images (base images): + uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057 + description: |- + A base image is a pre-built image that serves as a starting point for building + new images or containers. These base images usually include an operating system, + necessary dependencies, libraries, and other components that are required to run + a specific application or service. Nightly builds of custom base images refer to + an automated process that occurs daily or on a scheduled basis, usually during + nighttime or off-peak hours, to create updated versions of custom base images. + risk: Vulnerabilities in running containers stay for too long and might get + exploited. + measure: Custom base images are getting build at least nightly. In case the + packages in the base image e.g. centos has changed, the build server + triggers the build of depending images. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/34869eaf-f2e1-4926-b0bd-28c43402f057 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Reduction of the attack surface: + uuid: 16e39c8f-5336-4001-88ed-a552d2447531 + description: |- + Distroless images are minimal, stripped-down base images that contain only the + essential components required to run your application. They do not include package + managers, shells, or any other tools that are commonly found in standard Linux + distributions. Using distroless images can help reduce the attack surface and + overall size of your container images. + risk: Components, dependencies, files or file access rights might have vulnerabilities, + but the they are not needed. + measure: Removal of unneeded components, dependencies, files or file access + rights. For container images the usage of distroless images is recommended. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: ef647044-b675-47d3-9720-3ebc144ef37b + name: Distroless + tags: [] + url: https://github.com/GoogleContainerTools/distroless + - uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a + name: Fedora CoreOS + tags: [] + url: https://getfedora.org/coreos + - uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd + name: Distroless or Alpine + tags: [] + url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22 + references: + samm2: + - I-SB-2 + iso27001-2017: + - hardening is missing in ISO 27001 + - 14.2.1 + iso27001-2022: + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/16e39c8f-5336-4001-88ed-a552d2447531 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of a maximum lifetime for images: + uuid: 485a3383-7f2e-4dba-bb84-479377070904 + description: |- + The maximum lifetime for a Docker container refers to the duration a container + should be allowed to run before it is considered outdated, stale, or insecure. + There is not a fixed, universally applicable maximum lifetime for a Docker + container, as it varies depending on the specific use case, application + requirements, and security needs. As a best practice, it is essential to define + a reasonable maximum lifetime for containers to ensure that you consistently + deploy the most recent, patched, and secure versions of both your custom base + images and third-party images. + risk: Vulnerabilities in images of running containers stay for too long and + might get exploited. Long running containers have potential memory leaks. + A compromised container might get killed by restarting the container (e.g. + in case the attacker has not reached the persistence layer). + measure: A short maximum lifetime for images is defined, e.g. 30 days. The project + images, based on the nightly builded images, are deployed at leased once within + the defined lifetime. Third Party images are deployed at leased once within + the defined lifetime. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/485a3383-7f2e-4dba-bb84-479377070904 + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of a short maximum lifetime for images: + uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e + description: |- + The maximum lifetime for a Docker container refers to the duration a container + should be allowed to run before it is considered outdated, stale, or insecure. + There is not a fixed, universally applicable maximum lifetime for a Docker + container, as it varies depending on the specific use case, application + requirements, and security needs. As a best practice, it is essential to define + a reasonable maximum lifetime for containers to ensure that you consistently + deploy the most recent, patched, and secure versions of both your custom base + images and third-party images. + risk: Vulnerabilities in running containers stay for too long and might get + exploited. + measure: | + A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: 1a463242-b480-46f6-a912-b51ec1c1558d + name: "Sample concept: \n(1" + tags: [] + description: "Sample concept: \n(1) each container has a set lifetime and + is killed / replaced with a new container multiple times a day where you + have some form of a graceful replacement to ensure no (short) service outage + will occur to the end users. \n(2) twice a day a rebuild of images is done. + The rebuilds are put into a automated testing pipeline. If the testing has + no blocking issues the new images will be released for deployment during + the next \"restart\" of a container. What has to be done, is to ensure the + new containers are deployed in some canary deployment manner, this will + ensure that if (and only if) something buggy has been introduced which breaks + functionality the canary deployment will make sure the \"older version\" + is being used and not the buggy newer one." + references: + samm2: + - O-EM-2-B + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch + Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e + comments: "" + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false +Culture and Organization: + Design: + Conduction of advanced threat modeling: + uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 + risk: Inadequate identification of business and technical risks. + measure: Threat modeling is performed by using reviewing user stories and producing + security driven data flow diagrams. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Conduction of simple threat modeling on technical level + - Creation of threat modeling processes and standards + description: | + **Example High Maturity Scenario:** + + Based on a detailed threat model defined and updated through code, the team decides the following: + + * Local encrypted caches need to expire and auto-purged. + * Communication channels encrypted and authenticated. + * All secrets persisted in shared secrets store. + * Frontend designed with permissions model integration. + * Permissions matrix defined. + * Input is escaped output is encoded appropriately using well established libraries. + + Source: OWASP Project Integration Project + implementation: + - uuid: c0533602-11b7-4838-93cc-a40556398163 + name: Whiteboard + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://en.wikipedia.org/wiki/Whiteboard + - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 + name: Miro (or any other collaborative board) + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://miro.com/ + - uuid: 088794c4-3424-40d4-9084-4151587fc84d + name: Draw.io + tags: + - defender + - threat-modeling + - whiteboard + url: https://github.com/jgraph/drawio-desktop + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c + name: Threagile + tags: + - threat-modeling + url: https://github.com/Threagile/threagile + - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 + name: Threat Matrix for Storage + url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ + tags: + - documentation + - storage + - cluster + - kubernetes + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of simple threat modeling on business level: + uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426 + risk: Business related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of business functionality is performed during the product + backlog creation to facilitate early detection of security defects. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of simple threat modeling on technical level: + uuid: 47419324-e263-415b-815d-e7161b6b905e + risk: Technical related threats are discovered too late in the development and + deployment process. + measure: Threat modeling of technical features is performed during the product + sprint planning. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: c0533602-11b7-4838-93cc-a40556398163 + name: Whiteboard + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://en.wikipedia.org/wiki/Whiteboard + - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 + name: Miro (or any other collaborative board) + tags: + - defender + - threat-modeling + - collaboration + - whiteboard + url: https://miro.com/ + - uuid: 088794c4-3424-40d4-9084-4151587fc84d + name: Draw.io + tags: + - defender + - threat-modeling + - whiteboard + url: https://github.com/jgraph/drawio-desktop + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 + name: Threat Matrix for Storage + url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ + tags: + - documentation + - storage + - cluster + - kubernetes + description: | + # OWASP SAMM Description + Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. + + Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system. + + At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use. + + Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. + + Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + # OWASP Project Integration Description + There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. + + A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). + + OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). + + There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another. + + > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._ + + ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") + + Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. + + ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") + + This practice has the side effect that it trains non-security specialists to think like attackers. + + The outcomes of this stage should help lay the foundation of secure design and considerations. + + **Example Low Maturity Scenario:** + + Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. + + Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext. + + Frontend serves data over GraphQL as a thin layer between caching system and end user. + + GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. + + Source: OWASP Project Integration Project + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of advanced abuse stories: + uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e + risk: Simple user stories are not going deep enough. Relevant security considerations + are performed. Security flaws are discovered too late in the development and + deployment process + measure: Advanced abuse stories are created as part of threat modeling activities. + difficultyOfImplementation: + knowledge: 4 + time: 2 + resources: 1 + usefulness: 4 + level: 5 + dependsOn: + - Creation of simple abuse stories + implementation: + - uuid: bb5b8988-021b-452a-a914-bd36887b6860 + name: Don't Forget EVIL User stories + tags: [] + url: https://www.owasp.org/index.php/Agile_Software_Development + description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + and [Practical Security Stories and Security Tasks for Agile Development + Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 6.1.5 + - May be part of risk assessment + - 8.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 5.8 + - May be part of risk assessment + - 5.9 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of simple abuse stories: + uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1 + risk: User stories mostly don't consider security implications. Security flaws + are discovered too late in the development and deployment process. + measure: Abuse stories are created during the creation of user stories. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: bb5b8988-021b-452a-a914-bd36887b6860 + name: Don't Forget EVIL User stories + tags: [] + url: https://www.owasp.org/index.php/Agile_Software_Development + description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + and [Practical Security Stories and Security Tasks for Agile Development + Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + dependsOn: + - Conduction of simple threat modeling on technical level + - Creation of threat modeling processes and standards + references: + samm2: + - D-TA-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 6.1.5 + - May be part of risk assessment + - 8.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of project management + - 5.8 + - May be part of risk assessment + - 5.9 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Creation of threat modeling processes and standards: + uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e + risk: Inadequate identification of business and technical risks. + measure: Creation of threat modeling processes and standards through the organization + helps to enhance the security culture and provide more structure to the threat + model exercises. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + description: "" + implementation: + - uuid: fd0f282b-a065-4464-beed-770c604a5f52 + name: Threat Modeling Playbook + tags: + - owasp + - defender + - threat-modeling + - whiteboard + url: https://github.com/Toreon/threat-model-playbook + - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 + name: OWASP SAMM + tags: + - threat-modeling + - owasp + - defender + url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + dependsOn: + - Conduction of simple threat modeling on technical level + references: + samm2: + - D-TA-3-B + iso27001-2017: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 8.2.1 + - 14.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 + - May be part of risk assessment + - 5.12 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Information security targets are communicated: + uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 + risk: Employees don't know their organizations security targets. Therefore security + is not considered during development and administration as much as it should + be. + measure: Transparent and timely communication of the security targets by senior + management is essential to ensure teams' buy-in and support. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 5.1.1 + - 7.2.1 + iso27001-2022: + - 5.1 + - 5.4 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Education and Guidance: + Ad-Hoc Security trainings for software developers: + uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298 + risk: Understanding security is hard and personnel needs to be trained on it. + Otherwise, flaws like an SQL Injection might be introduced into the software + which might get exploited. + measure: Provide security awareness training for all personnel involved in software + development Ad-Hoc. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training + url: https://github.com/bkimminich/juice-shop + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Aligning security in teams: + uuid: f994a55d-71bb-45a4-a887-0a213d72c504 + risk: The concept of Security Champions might suggest that only he/she is responsible + for security. However, everyone in the project team should be responsible + for security. + measure: By aligning security Subject Matter Experts with project teams, a higher + security standard can be achieved. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 1 + usefulness: 5 + implementation: + - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3 + name: Involve Security SME + tags: [] + description: Security SME are involved in discussion for requirements analysis, + software design and sprint planning to provide guidance and suggestions. + level: 4 + references: + samm2: + - G-EG-3-B + iso27001-2017: + - 7.1.1 + iso27001-2022: + - 6.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of build-it, break-it, fix-it contests: + uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8 + risk: Understanding security is hard, even for security champions and the conduction + of security training often focuses on breaking a component instead of building + a component secure. + measure: The build-it, break-it, fix-it contest allows to train people with + security related roles like security champions the build, break and fix part + of a secure application. This increases the learning of building secure components. + difficultyOfImplementation: + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f + name: Build it Break it Fix it Contest + tags: [] + url: https://builditbreakit.org/ + references: + samm2: + - G-EG-2-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of collaborative security checks with developers and system administrators: + uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2 + risk: Security checks by external companies do not increase the understanding + of an application/system for internal employees. + measure: Periodically security reviews of source code (SCA), in which security + SME, developers and operations are involved, are effective at increasing the + robustness of software and the security knowledge of the teams involved. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 5 + implementation: [] + references: + samm2: + - G-EG-2-A + iso27001-2017: + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 7.2.2 + - 12.6.1 + - 12.7.1 + iso27001-2022: + - Mutual review of source code is not explicitly required in ISO 27001 may + be + - 6.3 + - 8.8 + - 8.34 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of collaborative team security checks: + uuid: 35446784-7610-40d9-af9e-d43f3173bf8c + risk: Development teams limited insight over security practices. + measure: Mutual security testing the security of other teams project enhances + security awareness and knowledge. + difficultyOfImplementation: + resources: 2 + knowledge: 4 + time: 4 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - G-EG-1-A + - G-EG-2-A + iso27001-2017: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 7.2.2 + iso27001-2022: + - Mutual security testing is not explicitly required in ISO 27001 may be + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Conduction of war games: + uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694 + risk: Understanding incident response plans during an incident is hard and ineffective. + measure: War Games like activities help train for incidents. Security SMEs create + attack scenarios in a testing environment enabling the trainees to learn how + to react in case of an incident. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 4 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - G-EG-2-A + iso27001-2017: + - War games are not explicitly required in ISO 27001 may be + - 7.2.2 + - 16.1 + - 16.1.5 + iso27001-2022: + - War games are not explicitly required in ISO 27001 may be + - 6.3 + - 5.24 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Each team has a security champion: + uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 + risk: No one feels directly responsible for security and the security champion + does not have enough time to allocate to each team. + measure: Each team defines an individual to be responsible for security. These + individuals are often referred to as 'security champions' + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + description: | + Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons. + + The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface. + + [Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/) + implementation: + - uuid: c191a515-3c10-4903-a889-70c8021f2ea1 + name: OWASP Security Champions Playbook + tags: + - security champions + url: https://github.com/c0rdis/security-champions-playbook + references: + samm2: + - G-EG-1-B + - G-EG-2-B + iso27001-2017: + - Security champions are missing in ISO 27001 most likely + - 7.2.1 + - 7.2.2 + iso27001-2022: + - Security champions are missing in ISO 27001 most likely + - 5.4 + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Office Hours: + uuid: 185d5a74-19dc-4422-be07-44ea35226783 + risk: Developers and Operations are not in contact with the security team and + therefore do not ask prior implementation of (known or unknown) threats- + measure: As a security team, be open for questions and hints during defined + office hours. x x d + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 3 + implementation: ~ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/185d5a74-19dc-4422-be07-44ea35226783 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training for all: + uuid: 9768f154-357a-4c06-af6f-d66570677c9b + risk: Understanding security is hard. + measure: Provide security awareness training for all internal personnel involved + in software development on a regular basis like twice in a year for 1-3 days. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 4 + level: 2 + description: | + Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option. + + Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level. + + Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization. + + [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) + implementation: + - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 + name: OWASP JuiceShop + tags: [] + url: https://github.com/bkimminich/juice-shop + description: |- + In case you do not have the budget to hire an external security expert, an option + is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/9768f154-357a-4c06-af6f-d66570677c9b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training for externals: + uuid: 31833d56-35af-4ef3-9300-f23d27646ce7 + risk: Understanding security is hard. + measure: Provide security awareness training for all personnel including externals + involved in software development on a regular basis. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 + name: OWASP JuiceShop + tags: [] + url: https://github.com/bkimminich/juice-shop + description: |- + In case you do not have the budget to hire an external security expert, an option + is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba + name: https://cheatsheetseries.owasp.org/ + tags: + - training + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-3-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular security training of security champions: + uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 + risk: Understanding security is hard, even for security champions. + measure: Regular security training of security champions. + assessment: | + - Process Documentation: TODO + - Training Content: TOODO + difficultyOfImplementation: + knowledge: 4 + time: 2 + resources: 2 + usefulness: 5 + level: 2 + implementation: + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + dependsOn: + - Each team has a security champion + references: + samm2: + - D-TA-2-B + - G-EG-1-A + iso27001-2017: + - Security champions are missing in ISO 27001 + - 7.2.2 + iso27001-2022: + - Security champions are missing in ISO 27001 + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Reward of good communication: + uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c + risk: Employees are not getting excited about security. + measure: Good communication and transparency encourages cross-organizational + support. Gamification of security is also known to help, examples include + T-Shirts, mugs, cups, gift cards and 'High-Fives'. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 8e1b4a8a-c53b-4b1e-90f6-c60b7e225098 + name: Motivate people + tags: + - security champions + - gamification + - nudging + url: https://github.com/wurstbrot/security-pins + description: |- + Enhance motivation can be performed with the distribution of pins + as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins) + - uuid: 22b63bdb-2003-4ac0-969d-b1e5268c2510 + name: OWASP Top 10 Maturity Categories for Security Champions + tags: + - security champions + url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx + references: + samm2: + - G-EG-1-B + iso27001-2017: + - not required by ISO 27001 + - interestingly enough A7.2.3 is requiring a process to handle misconduct + but nothing to promote good behavior. + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security Coaching: + uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + risk: Training does not change behaviour. Therefore, even if security practices + are understood, it's likely that they are not performed. + measure: By coaching teams on security topics using for example the samman coaching + method, teams internalize security practices as new habits in their development + process. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + implementation: + - uuid: 9223be73-00da-400e-a910-3871734cff2f + name: sammancoaching + tags: + - documentation + - coaching + - education + url: https://sammancoaching.org/ + description: | + Security coaches work with software development teams to help them adopt better security practices. + level: 3 + references: + samm2: + - G-EG-3-B + iso27001-2017: + - 7.1.1 + iso27001-2022: + - 6.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security code review: + uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57 + risk: Understanding security is hard. + measure: | + The following areas of code tend to have a high-risk of containing security vulnerabilities: + - Crypto implementations / usage + - Parser, unparser + - System configuration + - Authentication, authorization + - Session management + - Request throttling + - :unicorn: (self-developed code, only used in that one software) + description: | + ### Benefits + - New vulnerabilities may be found before reaching production. + - Old vulnerabilities are found and fixed. + assessment: | + - Present the performed reviews (including participants, findings, consequences) and assess whether it is reasonable. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: c77f7ecd-76de-4611-bd6d-5b249f910c39 + name: CWE Top 25 Most Dangerous Software Weaknesses + tags: + - documentation + - threat + url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html + credits: | + AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + references: + samm2: + - V-ST-1-B + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security consulting on request: + uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 + risk: Not asking a security expert when questions regarding security appear + might lead to flaws. + measure: Security consulting to teams is given on request. The security consultants + can be internal or external. + difficultyOfImplementation: + knowledge: 3 + time: 1 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series + tags: + - secure coding + url: https://cheatsheetseries.owasp.org/ + references: + samm2: + - G-EG-1-A + iso27001-2017: + - security consulting is missing in ISO 27001 may be + - 6.1.1 + - 6.1.4 + - 6.1.5 + iso27001-2022: + - Security consulting is missing in ISO 27001 may be + - 5.2 + - 5.6 + - 5.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security-Lessoned-Learned: + uuid: 58c46807-fee9-448b-b6dd-8050c464ab52 + risk: After an incident, a similar incident might reoccur. + measure: Running a 'lessons learned' session after an incident helps drive continuous + improvement. Regular meetings with security champions are a good place to + share and discuss lessons learned. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - O-IM-3-B + iso27001-2017: + - 16.1.6 + iso27001-2022: + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple mob hacking: + uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de + risk: Understanding security is hard. + measure: | + Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild. + In the session the guild presents a vulnerable application and together you look at possible exploits. + Just like in mob programming there is one driver and several navigators. + description: | + ### Guidelines for your simple mob hacking session + - All exploits happen via the user interface. + - No need for security/hacking tools. + - No need for deep technical or security knowledge. + - Use an insecure training app, e.g., [DVWA](https://dvwa.co.uk/) or [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/). + - Encourage active participation, e.g., use small groups. + - Allow enough time for everyone to run at least one exploit. + + ### Benefits + - The team gets an idea of how exploits can look like and how easy applications can be attacked. + - The team understands functional correct working software can be highly insecure and easy to exploit. + difficultyOfImplementation: + knowledge: 5 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + credits: | + AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) + implementation: + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training + url: https://github.com/bkimminich/juice-shop + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529 + name: Damn Vulnerable Web Application + tags: + - training + description: Simple Application with intended vulnerabilities. HTML based. + references: + samm2: + - G-EG-1-A + iso27001-2017: + - 7.2.2 + iso27001-2022: + - 6.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education + and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Process: + Approval by reviewing any new version: + uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1 + risk: An individual might forget to implement security measures to protect source + code or infrastructure components. + measure: On each new version (e.g. Pull Request) of source code or infrastructure + components a security peer review of the changes is performed (two eyes principle) + and approval given by the reviewer. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: [] + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Definition of a change management process: + uuid: b4193d32-3948-47e2-a326-3748c48019a1 + risk: The impact of a change is not controlled because these are not recorded + or documented. + measure: Each change of a system is automatically recorded and adequately logged. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 14.2.2 + - 12.1.2 + - 12.4.1 + iso27001-2022: + - 8.32 + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Definition of simple BCDR practices for critical components: + uuid: c72da779-86cc-45b1-a339-190ce5093171 + description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan + and a process that helps a business to return to normal operations if a disaster + occurs. + risk: If the disaster recovery actions are not clear, you risk slow reaction + and remediation delays. This applies to cyber attacks as well as natural emergencies, + such as a power outage. + measure: By understanding and documenting a business continuity and disaster + recovery (BCDR) plan, the overall availability of systems and applications + is increased. Success factors like responsibilities, Service Level Agreements, + Recovery Point Objectives, Recovery Time Objectives or Failover must be fully + documented and understood by the people involved in the recovery. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 4 + level: 1 + implementation: [] + references: + samm2: [] + iso27001-2017: + - 17.1.1 + iso27001-2022: + - 5.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Determining the protection requirement: + uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d + risk: "Not defining the protection requirement of applications can lead to wrong + prioritization, delayed remediation of \ncritical security issues, increasing + the risk of exploitation and potential damage to the organization." + measure: "Defining the protection requirement. \nThe protection requirements + for an application should consider:\n- Processed data criticality\n- Application + accessibility (internal vs. external)\n- Regulatory compliance\n- Other relevant + factors" + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + dependsOn: + - Inventory of production components + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false +Implementation: + Application Hardening: + App. Hardening Level 1: + uuid: cf819225-30cb-4702-8e32-60225eedc33d + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 1 + * OWASP Mobile Application Security Verification Standard + + in all applications provides a good baseline. Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + dependsOn: + - App. Hardening Level 1 (50%) + description: | + To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely. + + [...] + + ### Planning aka Requirements Gathering & Analysis + The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. + + ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) + + Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. + + These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. + + In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. + + Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + - uuid: 596cb528-8981-4723-bcc3-22c261f26114 + name: API Security Maturity Model for Authorization + tags: + - api + url: https://curity.io/resources/learn/the-api-security-maturity-model/ + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/cf819225-30cb-4702-8e32-60225eedc33d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 1 (50%): + uuid: b597928e-54d6-48a5-a806-8003dcd56aab + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 1 + * OWASP Mobile Application Security Verification Standard + + in all applications provides a good baseline. Implement 50% of the recommendations. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + description: | + To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely. + + [...] + + ### Planning aka Requirements Gathering & Analysis + The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. + + ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) + + Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. + + These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. + + In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. + + Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + - uuid: 596cb528-8981-4723-bcc3-22c261f26114 + name: API Security Maturity Model for Authorization + tags: + - api + url: https://curity.io/resources/learn/the-api-security-maturity-model/ + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/b597928e-54d6-48a5-a806-8003dcd56aab + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 2: + uuid: ffe86caf-2fec-4630-b514-2db83983984d + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 4 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-2-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/ffe86caf-2fec-4630-b514-2db83983984d + comments: "" + dependsOn: + - App. Hardening Level 2 (75%) + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 2 (75%): + uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7 + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 2 + * OWASP Mobile Application Security Verification Standard Level 2 + + Implement 75% of the recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-2-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7 + comments: "" + dependsOn: + - App. Hardening Level 1 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + App. Hardening Level 3: + uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a + risk: Using an insecure application might lead to a compromised application. + This might lead to total data theft or data modification. + measure: | + Following frameworks like the + * OWASP Application Security Verification Standard Level 3 + * OWASP Mobile Application Security Verification Standard + + Implement 95%-100% of the recommendations. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 4 + level: 5 + implementation: + - uuid: 88767cde-1610-402e-98ec-bc3575377183 + name: OWASP ASVS + tags: [] + url: https://owasp.org/www-project-application-security-verification-standard/ + - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 + name: OWASP MASVS + tags: [] + url: https://github.com/OWASP/owasp-masvs + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a + dependsOn: + - App. Hardening Level 2 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Containers are running as non-root: + uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f + risk: |- + There are various reasons to run a container as non-root. Samples are listed: + ## Container Escape Vectors + + - Root privileges significantly increase the chance of breaking container isolation + - Root access can be leveraged to exploit kernel vulnerabilities + - Compromised root containers provide attackers with maximum privileges inside the container + - Greater potential for escaping container boundaries to the host system + + ## Host System Vulnerabilities + + Root containers can potentially: + + - Mount sensitive host filesystems + - Access critical device files + - Modify host network settings + - Interact with host system processes + - Override security controls + + ## Resource Management Issues + + Root privileges may allow containers to: + + - Bypass resource quotas and limits + - Modify control group (cgroup) settings + - Interfere with other containers' resources + - Circumvent memory and CPU restrictions + + Security Boundary Weakening + + - Violates the principle of least privilege + - Provides unnecessary elevated permissions + - Expands the potential attack surface + - Increases the impact of a successful compromise + measure: "Containers are running as non-root. This can be enforced in the image + itself or during runtime parameters \n(e.g. `podman run --user [...]`)." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Context-aware output encoding: + uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7 + description: "**Input validation** stops malicious data from entering your system. + \\\n**Output encoding** neutralizes malicious data before rendering to user, + or the next system.\n\nInput validation and output encoding work together. + Apply both. \n\n**Context-aware output encoding** encodes data differently, + depending on its context. In the sample below the `{{bad_data}}` must be encoded + differently, depending on its context, to render safe HTML.\n\n```html\n
{{bad_data}}
\nClick me\n\n\n``` \n" + risk: If an attacker manages to slip though your input validation, the attacker + may gain control over the user session or execute arbitrary actions. + measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The + default method here renders data in a safe way.\n* Use established and well-maintained + encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s + AntiXSS.\n* Implement content security policies (CSP) to restrict the types + of content that can be loaded and executed.\n" + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: 2d61e48f-bade-4332-a383-adc50c29673a + name: OWASP DOM based XSS Prevention CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html + tags: [] + - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc + name: CWE-838 Inappropriate Encoding for Output Context + tags: + - documentation + - cwe + url: https://cwe.mitre.org/data/definitions/838.html + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Parametrization: + uuid: 00e91a8a-3972-4692-8679-674ab8547486 + description: | + By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well. + + This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed. + + Pay attention to these two lines of code. They seem similar, but behave very differently. + + * `sql.execute("SELECT * FROM table WHERE ID = " + id);` + * `sql.execute("SELECT * FROM table WHERE ID = ?", id);` + The second line is parameterized. The same principle applies to other types, such as command line execution, etc. + risk: "Systems vulnerable to injections may lead to data breaches, loss of data, + \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis + applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n" + measure: | + * Identify which of the types your application is using. Check that you use: + * Use _parametrized queries_ (or _prepared statements_) + * For database queries, you may also use: + * Use _stored procedures_ () + * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 3 + level: 1 + implementation: + - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4 + name: OWASP Parameterization CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html + tags: [] + references: + samm2: + - D-SR-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + Hardening/00e91a8a-3972-4692-8679-674ab8547486 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Secure headers: + uuid: 29318d60-18ce-4526-80ea-f5928e49f639 + risk: | + Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.: + - Cross-Site Scripting (XSS) due to missing Content Security Policy + - Clickjacking attacks due to missing X-Frame-Options + - Information disclosure through Server header exposure + - SSL/TLS downgrade attacks due to missing HSTS + - Cross-site scripting and injection due to missing security headers + measure: | + Implement and enforce security headers across all applications and services + + Implementation Methods: + 1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level + 2. Web Application: Implement in the application middleware + 3. Service Mesh: Configure at the ingress controller level + 4. Standard Docker Image: Use secure base images with preset headers + + Remove or Secure: + - Server header: Hide server version information + - X-Powered-By: Remove technology stack information + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e + name: OWASP Secure Headers Project + tags: + - header + - documentation + url: https://owasp.org/www-project-secure-headers/ + description: "The OWASP Secure Headers Project (also called OSHP) describes + HTTP response headers that your application can use \nto increase the security + of your application. Once set, these HTTP response headers can restrict + modern browsers \nfrom running into easily preventable vulnerabilities. + The OWASP Secure Headers Project intends to raise awareness\nand use of + these headers." + meta: + implementationGuide: | + Essential headers: + - Content-Security-Policy: Define trusted sources for content + - Strict-Transport-Security: Enforce HTTPS connections + - X-Frame-Options: Prevent clickjacking attacks + - X-Content-Type-Options: Prevent MIME-type sniffing + - X-XSS-Protection: Enable browser's XSS filtering + - Referrer-Policy: Control information in the Referrer header + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/cre/620-421 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Development and Source Control: + .gitignore: + uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d + risk: Unintended leakage of secrets, debug, or workstation specific data + measure: .gitignore files help prevent accidental commits of secrets, debug, + or workstation specific data + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 5 + level: 4 + dependsOn: [] + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + - 14.2.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Block force pushes: + uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + risk: "Misuse of force push can lead to loss of work. It may overwrite remote + \nbranches without warning, potentially erasing valuable contributions from + team members. This can disrupt collaboration, \ncause data loss, and create + confusion in the development process.\n\nBypassing the pull request process + might remove an important code review step. \nThis increases the risk of merging + low-quality or buggy code into the main branch, potentially introducing bugs + in the codebase." + measure: Mandate blocking of force pushes in the version control platform. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dismiss stale PR approvals: + uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162 + risk: Intentional or accidental alterations in critical branches like main (or + master) through post-approval code additions. + measure: Implement a policy where any commits made after a pull request has + been approved automatically revoke that approval, necessitating a fresh review + and re-approval process. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Local development linting & style checks performed: + uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474 + risk: Insecure or unmaintainable code base. + measure: Integrate static code analysis tools in IDEs. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 5 + description: "" + implementation: + - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe + name: How to enforce a consistent coding style in your projects + url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm + tags: + - ide + - linting + - uuid: aa5ded61-5380-4da6-9474-afc36a397682 + name: In-Depth Linting of Your TypeScript While Coding + url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding + tags: + - ide + - linting + references: + samm2: + - V-ST-1-A + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Require a PR before merging: + uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + risk: Intentional or accidental alterations in critical branches like main (or + master). + measure: Define source code management system policies (e.g. branch protection + rules, mandatory code reviews from at least one person, ...) to ensure that + changes to critical branches are only possible under defined conditions. These + policies can be implemented at repository level or organization level, depending + on the source code management system. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - Peer review - four eyes principle is not explicitly required by ISO 27001 + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Require status checks to pass: + uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee + risk: Organizations risk introducing broken builds, quality issues, and security + vulnerabilities into their codebase. + measure: Mandate passing of security related specified status checks, like successful + builds or static application security tests, before proceeding. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Require a PR before merging + implementation: + - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a + name: Improve code quality with branch policies + url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops + tags: + - source-code-protection + - scm + - uuid: 99211481-de9c-4358-880e-628366416a27 + name: About protected branches + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + tags: + - source-code-protection + - scm + - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 + name: Enforcement of commit signing + tags: + - signing + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule + description: Usage of branch protection rules + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.3 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Versioning: + uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f + risk: Deployment of untracked artifacts. + measure: Version artifacts in order to identify deployed features and issues. + This includes application and infrastructure code, jenkins configuration, + container and virtual machine images. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 1 + dependsOn: + - Defined deployment process + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + - 14.2.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development + and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Infrastructure Hardening: + Applications are running in virtualized environments: + uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873 + risk: Through a vulnerability in one service on a server, the attacker gains + access to other services running on the same server. + measure: Applications are running in a dedicated and isolated virtualized environments. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 3 + level: 2 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Backup: + uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc + risk: If errors are experienced during the deployment process you want to deploy + an old release. However, due to changes in the database this is often unfeasible. + measure: Performing automated periodical backups are used. Backup before deployment + can help facilitate deployments whilst testing the backup restore processes. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: ba7348e5-1abf-4c7d-8fbc-49f99460930b + name: A complete backup of persisted data might be performed*. + tags: [] + - uuid: 9af7624e-0729-4eeb-b257-ebaf65f70355 + name: A Point in Time Recovery for databases should be implemented. + tags: [] + dependsOn: + - Defined deployment process + references: + samm2: + - TODO + iso27001-2017: + - 12.3 + - 14.2.6 + iso27001-2022: + - 8.13 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Baseline Hardening of the environment: + uuid: 5992c38c-8597-4035-89db-d15820d81c3a + risk: Using default configurations for a cluster environment leads to potential + risks. + measure: Harden environments according to best practices. Level 1 and partially + level 2 from hardening practices like 'CIS Kubernetes Bench for Security' + should be considered. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff + name: CIS Kubernetes Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f + name: CIS Docker Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef + name: For example for Cont + tags: [] + description: 'For example for Containers: Deny running containers as root, + deny using advanced privileges, deny mounting of the hole filesystem, ...' + url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ + - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b + name: Attack Matrix Cloud + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for cloud + - uuid: 59881520-4c69-4922-a44e-99044a77de2b + name: Attack Matrix Containers + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for containers + - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 + name: Attack Matrix Kubernetes + tags: + - mitre + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Attack matrix for kubernetes + - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af + name: Defend the core kubernetes security at every layer + url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ + tags: + - documentation + - cluster + - kubernetes + references: + samm2: + - O-EM-1-A + iso27001-2017: + - system hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/5992c38c-8597-4035-89db-d15820d81c3a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Filter outgoing traffic: + uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d + risk: A compromised infrastructure component might try to send out stolen data. + measure: Having a whitelist and explicitly allowing egress traffic provides + the ability to stop unauthorized data leakage. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 2 + level: 3 + dependsOn: [] + implementation: + - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867 + name: Open Policy Agent + tags: [] + url: https://www.openpolicyagent.org/ + - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 + name: firewalls + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Hardening of the Environment: + uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33 + risk: Using default configurations for a cluster environment leads to potential + risks. + measure: Harden environments according to best practices. Level 2 and partially + level 3 from hardening practices like 'CIS Kubernetes Bench for Security' + should be considered. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff + name: CIS Kubernetes Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f + name: CIS Docker Bench for Security + tags: [] + url: https://www.cisecurity.org/cis-benchmarks/ + - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef + name: For example for Cont + tags: [] + description: 'For example for Containers: Deny running containers as root, + deny using advanced privileges, deny mounting of the hole filesystem, ...' + url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ + - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b + name: Attack Matrix Cloud + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for cloud + - uuid: 59881520-4c69-4922-a44e-99044a77de2b + name: Attack Matrix Containers + tags: + - mitre + url: https://attack.mitre.org/matrices/enterprise/cloud/ + description: Attack matrix for containers + - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 + name: Attack Matrix Kubernetes + tags: + - mitre + url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + description: Attack matrix for kubernetes + - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af + name: Defend the core kubernetes security at every layer + url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ + tags: + - documentation + - cluster + - kubernetes + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Immutable infrastructure: + uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833 + risk: The availability of IT systems might be disturbed due to components failures + measure: Redundancies in the IT systems + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + dependsOn: + - Infrastructure as Code + implementation: + - uuid: b206481f-9c66-45e2-843c-37c5730580cd + name: Remove direct access to infrastructure + tags: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 17.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Infrastructure as Code: + uuid: 8b994601-575e-4ea5-b228-accb18c8e514 + risk: No tracking of changes in systems might lead to errors in the configuration. + In additions, it might lead to unauthorized changes. An examples is jenkins. + measure: Systems are setup by code. A full environment can be provisioned. In + addition, software like Jenkins 2 can be setup and configured in in code too. + The code should be stored in a version control system. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 4 + usefulness: 4 + level: 3 + implementation: + - uuid: b0931397-2402-44f1-814b-63292ab4a339 + name: GitOps + tags: [] + url: https://www.redhat.com/en/topics/devops/what-is-gitops + - uuid: 73747d35-2185-4f22-94a0-723288fa283c + name: Ansible + tags: [] + url: https://github.com/ansible/ansible + - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce + name: Chef + tags: [] + url: https://github.com/chef/chef + - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982 + name: Puppet + tags: [] + url: https://github.com/puppetlabs/puppet + - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458 + name: Jenkinsfile + tags: [] + url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.1 + - 12.1.2 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.37 + - 8.32 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/8b994601-575e-4ea5-b228-accb18c8e514 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Isolated networks for virtual environments: + uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1 + risk: Virtual environments in default settings are able to access other virtual + environments on the network stack. By using virtual machines, it is often + possible to connect to other virtual machines. By using docker, one bridge + is used by default so that all containers on one host can communicate with + each other. + measure: The communication between virtual environments is controlled and regulated. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + dependsOn: [] + implementation: + - uuid: 9429d52c-203d-49ae-814f-1401210887cd + name: istio + tags: [] + url: https://istio.io/ + - uuid: fc0eda30-2bf7-466f-948e-e17584db9f30 + name: bridges + tags: [] + - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 + name: firewalls + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Limitation of system events: + uuid: e5386abf-9154-4752-a1a8-c3a8900f732d + risk: System events (system calls) can lead to privilege escalation. + measure: System calls are limited. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 5 + level: 3 + dependsOn: + - Audit of system events + implementation: + - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd + name: seccomp + tags: [] + url: https://man7.org/linux/man-pages/man2/seccomp.2.html + - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff + name: strace + tags: [] + url: https://man7.org/linux/man-pages/man1/strace.1.html + - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 + name: Falco + tags: + - falco + - systemcall + - monitoring + url: https://github.com/falcosecurity/falco + description: | + Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. + references: + samm2: + - O-EM-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + MFA: + uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de + risk: One factor authentication is more vulnerable to brute force attacks and + is considered less secure. + measure: Two ore more factor authentication for all accounts on all (important) + systems and applications + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: + - MFA for admins + implementation: + - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 + name: Smartcard + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 + name: YubiKey + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 + name: SMS + tags: [] + - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d + name: TOTP + tags: [] + url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.2.4 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.17 + - 5.3 + - 8.25 + d3f: + - Multi-factorAuthentication + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + MFA for admins: + uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57 + risk: One factor authentication is more vulnerable to brute force attacks and + is considered less secure. + measure: Two ore more factor authentication for all privileged accounts on systems + and applications + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 4 + level: 1 + implementation: + - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 + name: Smartcard + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 + name: YubiKey + tags: [] + url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 + name: SMS + tags: [] + - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d + name: TOTP + tags: [] + url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.2.4 + - 6.1.2 + - 14.2.1 + iso27001-2022: + - 5.17 + - 5.3 + - 8.25 + d3f: + - Multi-factorAuthentication + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Microservice-architecture: + uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a + risk: Monolithic applications are hard to test. + measure: A microservice-architecture helps to have small components, which are + more easy to test. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 5 + usefulness: 1 + level: 5 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Production near environments are used by developers: + uuid: e14de741-94b3-447c-8b07-eea947d82e61 + risk: In case an errors occurs in production, the developer need to be able + to create a production near environment on a local development environment. + measure: Usage of infrastructure as code helps to create a production near environment. + The developer needs to be trained in order to setup a local development environment. + In addition, it should be possible to create production like test data. Often + personal identifiable information is anonymized in order to comply with data + protection laws. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + dependsOn: + - Defined deployment process + - Infrastructure as Code + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 12.1.4 + - 17.2.1 + iso27001-2022: + - 8.31 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/e14de741-94b3-447c-8b07-eea947d82e61 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Role based authentication and authorization: + uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9 + risk: Everyone is able to get unauthorized access to information on systems + or to modify information unauthorized on systems. + measure: The usage of a (role based) access control helps to restrict system + access to authorized users. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004 + name: Directory Service + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/ + - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e + name: Plugins + tags: [] + dependsOn: + - Defined deployment process + - Defined build process + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.4.1 + iso27001-2022: + - 8.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple access control for systems: + uuid: 82e499d1-f463-4a4b-be90-68812a874af6 + risk: Attackers a gaining access to internal systems and application interfaces + measure: All internal systems are using simple authentication + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 5 + level: 1 + dependsOn: + - Defined deployment process + implementation: + - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9 + name: HTTP-Basic Authentication + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/ + - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e + name: VPN + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/ + references: + samm2: + - O-EM-1-A + iso27001-2017: + - 9.4.1 + iso27001-2022: + - 8.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/82e499d1-f463-4a4b-be90-68812a874af6 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of a chaos monkey: + uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe + risk: Due to manual changes on a system, they are not replaceable anymore. In + case of a crash it might happen that a planned redundant system is unavailable. + In addition, it is hard to replay manual changes. + measure: A randomized periodically shutdown of systems makes sure, that nobody + will perform manual changes to a system. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 5 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 17.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of an security account: + uuid: 746025a6-dbfb-4087-a000-e46acab64ee1 + risk: Having security auditing in the same account as infrastructure and applications + at the cloud provide might cause evil administrators (or threat actors taking + over an account of an administrator) to alter evidence like audit logs. + measure: Usage of a separate account dedicated for security activities. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 3 + usefulness: 4 + level: 2 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/746025a6-dbfb-4087-a000-e46acab64ee1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of edge encryption at transit: + uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629 + risk: Evil actors might be able to perform a man in the middle attack and sniff + confidential information (e.g. authentication factors like passwords). + measure: |- + By using encryption at the edge of traffic in transit, it is impossible + or at least harder to sniff credentials or information being outside of the organization. + + Using standard secure protocols like HTTPS is recommended. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of encryption at rest: + uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + risk: Evil actors might be able to access data and read information, e.g. from + physical hard disks. + measure: By using encryption at rest, it is impossible or at least harder to + to read information. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of internal encryption at transit: + uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93 + risk: Evil actors within the organization of traffic in transit might be able + to perform a man in the middle attack and sniff confidential information (e.g. + authentication factors like passwords) + measure: By using encryption internally, e.g. inside of a cluster, it is impossible + or at least harder to sniff credentials. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 3 + usefulness: 4 + level: 3 + implementation: "" + references: + samm2: + - I-SD-2-B + iso27001-2017: + - 10.1 + iso27001-2022: + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of security by default for components: + uuid: 11b3848e-e931-4146-a35d-35409ada24ee + risk: Components (images, libraries, applications) are not hardened. + measure: Hardening of components is important, specially for image on which + other teams base on. Hardening should be performed on the operation system + and on the services inside (e.g. Nginx or a Java-Application). + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: d7fb1f5a-05e3-49f7-ae67-00bfb8f8410c + name: 'For applications: Check default encoding' + tags: [] + - uuid: 7e744f11-976e-46b6-88d4-f39b2965dfaf + name: managing secrets + tags: [] + url: https://d3fend.mitre.org/technique/d3f:CredentialHardening/ + - uuid: 520517ef-2911-4efc-8e1b-dcc9389aca45 + name: crypto + tags: [] + - uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339 + name: authentication + tags: [] + url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/ + dependsOn: + - Defined build process + references: + samm2: + - O-EM-1-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/11b3848e-e931-4146-a35d-35409ada24ee + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of test and production environments: + uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415 + risk: Security tests are not running regularly because test environments are + missing + measure: A test and a production like environment is used + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 4 + level: 2 + dependsOn: + - Defined deployment process + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.4 + - 17.2.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.31 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Virtual environments are limited: + uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca + risk: Denial of service (internally by an attacker or unintentionally by a bug) + on one service effects other services + measure: All virtual environments are using resource limits on hard disks, memory + and CPU + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 3 + usefulness: 3 + level: 2 + dependsOn: + - Applications are running in virtualized environments + implementation: [] + references: + samm2: + - O-EM-1-A + iso27001-2017: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 12.1.3 + - 13.1.3 + - 17.2.1 + iso27001-2022: + - Virtual environments are not explicitly covered by ISO 27001 - too specific + - 8.6 + - 8.22 + - 8.14 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF Advanced: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced + risk: The presence of sophisticated threats necessitates a robust defense strategy + where application inputs are meticulously scrutinized for security breaches, + including advanced persistent threats and zero-day vulnerabilities. + measure: An advanced WAF protection level includes rigorous input validation, + rejecting any parameters not explicitly required, and custom rule sets that + are dynamically updated in response to emerging threats. + description: | + The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 5 + usefulness: 4 + level: 5 + dependsOn: + - WAF medium + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF baseline: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b + risk: Vulnerable input, such as exploits, can infiltrate the application via + numerous entry points, posing a significant security threat. + measure: Implementing a web application firewall (WAF) is a critical security + control. At a baseline level, the objective is to finely balance the reduction + of false positives, maintaining user experience, against a potential increase + in the less noticeable false negatives. + description: | + Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 3 + usefulness: 3 + level: 3 + dependsOn: + - Context-aware output encoding + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + WAF medium: + uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + risk: The threat from malicious inputs remains high, with exploits seeking to + exploit any vulnerabilities present at the various points of entry to the + application. + measure: A WAF deployed with a medium level of protection strengthens the security + posture by striking a more advanced balance between the detection of genuine + threats and the minimization of false alarms. + description: | + Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 4 + usefulness: 3 + level: 4 + dependsOn: + - WAF baseline + implementation: [] + references: + samm2: + - D-SR-3-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure + Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium + comments: ~ + tags: + - none + teamsImplemented: + Default: false + B: false + C: false +Information Gathering: + Logging: + Centralized application logging: + uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04 + risk: Local stored logs can be unauthorized manipulated by attackers with system + access or might be corrupt after an incident. In addition, it is hard to perform + an correlation of logs. This leads attacks, which can be performed silently. + measure: A centralized logging system is used and applications logs (including + application exceptions) are shipped to it. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 3 + dependsOn: + - Alerting + implementation: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Centralized system logging: + uuid: 4eced38a-7904-4c45-adb0-50b663065540 + risk: Local stored system logs can be unauthorized manipulated by attackers + or might be corrupt after an incident. In addition, it is hard to perform + a aggregation of logs. + measure: By using centralized logging logs are protected against unauthorized + modification. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 1 + implementation: + - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 + name: rsyslog + url: https://www.rsyslog.com/ + tags: + - tool + - logging + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Correlation of security events: + uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5 + risk: Detection of security related events with hints on different systems/tools/metrics + is not possible. + measure: Events are correlated on one system. For example the correlation and + visualization of failed login attempts combined with successful login attempts. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 4 + usefulness: 3 + level: 5 + dependsOn: + - Visualized logging + - Alerting + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Logging of security events: + uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb + description: | + Implement logging of security relevant events. The following events tend to be security relevant: + - successful/failed login/logout + - creation, change, and deletion of users + - errors during input validation and output creation + - exceptions and errors with security in their name + - transactions of value (e.g., financial transactions, costly operations) + - :unicorn: (special things of your application) + measure: Security-relevant events like login/logout or creation, change, deletion + of users should be logged. + assessment: | + - Show which events are logged. + - Show a test for one event logging. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 2 + credits: | + [AppSecure-nrw](https://github.com/AppSecure-nrw/security-belts/blob/master/orange/logging-of-security-events.md) + implementation: + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 + name: fluentd + tags: + - tool + url: https://www.fluentd.org/ + - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 + name: bash + tags: + - tool + url: https://www.gnu.org/software/bash/ + - uuid: 5a5c7d99-41e8-454a-86ae-a638c9787d8c + name: OWASP Logging CheatSheet + url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + tags: + - logging + - documentation + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.4.1 + iso27001-2022: + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb + risk: |- + * No track of security-relevant events makes it harder to analyze an incident. + * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + PII logging concept: + uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9 + risk: Personal identifiable information (PII) is logged and the privacy law + (e.g. General Data Protection Regulation) is not followed. + measure: A concept how to log PII is documented and applied. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 + name: rsyslog + url: https://www.rsyslog.com/ + tags: + - tool + - logging + - uuid: 7a8fad2e-d642-4972-8501-74591b23feab + name: logstash + url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html + tags: + - tool + - logging + - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 + name: fluentd + tags: + - tool + url: https://www.fluentd.org/ + - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 + name: bash + tags: + - tool + url: https://www.gnu.org/software/bash/ + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + - 18.1.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + - 5.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Visualized logging: + uuid: 7c735089-6a83-419f-8b27-c1e676cedea1 + risk: System and application protocols are not visualized properly which leads + to no or very limited logging assessment. Specially developers might have + difficulty to read applications logs with unusually tools like the Linux tool + 'cat' + measure: Protocols are visualized in a simple to use real time monitoring system. + The GUI gives the ability to search for special attributes in the protocol. + difficultyOfImplementation: + knowledge: 1 + time: 3 + resources: 3 + usefulness: 4 + level: 2 + dependsOn: + - Centralized system logging + - Centralized application logging + implementation: + - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3 + name: ELK-Stack + tags: [] + url: https://www.elastic.co/elk-stack + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.4.1 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Monitoring: + Advanced app. metrics: + uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf + risk: People are not looking into tests results. Vulnerabilities not recolonized, + even they are detected by tools. + measure: All defects from the dimension Test- and Verification are instrumented. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Simple application metrics + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Advanced availability and stability metrics: + uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1 + risk: Trends and advanced attacks are not detected. + measure: Advanced metrics are gathered in relation to availability and stability. + For example unplanned downtime's per year. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Simple application metrics + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Alerting: + uuid: 8a442d8e-0eb1-4793-a513-571aef982edd + risk: Incidents are discovered after they happened. + measure: | + Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 2 + dependsOn: + - Visualized metrics + implementation: [] + references: + samm2: + - I-DM-A 3 + iso27001-2017: + - 16.1.2 + - 16.1.4 + - 12.1.4 + iso27001-2022: + - 6.8 + - 5.25 + - 8.31 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Audit of system events: + uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8 + risk: System events (system calls) trends and attacks are not detected. + measure: Gathering of system calls. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Visualized metrics + implementation: + - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 + name: Falco + tags: + - falco + - systemcall + - monitoring + url: https://github.com/falcosecurity/falco + description: | + Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage and control metrics: + uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d + risk: The effectiveness of configuration, patch and vulnerability management + is unknown. + measure: "Usage of Coverage- and control-metrics to show the effectiveness of + the security program. Coverage is the degree in \n which a specific + security control for a specific target group is applied with all resources.\n + \ The control degree shows the actual application of security standards + and security-guidelines. Examples are gathering information on anti-virus, + anti-rootkits, patch management, server configuration and vulnerability management." + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Visualized metrics + implementation: + - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d + name: https://ht.transpare + tags: [] + url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD + description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf + references: + samm2: + - O-IM-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deactivation of unused metrics: + uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722 + risk: High resources are used while gathering unused metrics. + measure: Deactivation of unused metrics helps to free resources. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 3 + dependsOn: + - Visualized metrics + implementation: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Defense metrics: + uuid: e808028c-351c-42f1-bcd9-fba738d1fc55 + risk: IDS/IPS systems like packet- or application-firewalls detect and prevent + attacks. It is not known how many attacks has been detected and blocked. + measure: | + Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request. + Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered. + difficultyOfImplementation: + knowledge: 3 + time: 5 + resources: 2 + usefulness: 4 + level: 4 + dependsOn: + - Visualized metrics + - Filter outgoing traffic + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.4.1 + - 13.1.1 + iso27001-2022: + - 8.15 + - 8.2 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Grouping of metrics: + uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b + risk: The analysis of metrics takes long. + measure: Meaningful grouping of metrics helps to speed up analysis. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 2 + usefulness: 2 + level: 3 + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 12.1.3 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Metrics are combined with tests: + uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506 + risk: Changes might cause high load due to programming errors. + measure: Metrics during tests helps to identify programming errors. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 2 + usefulness: 5 + level: 5 + dependsOn: + - Grouping of metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Monitoring of costs: + uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e + risk: Not monitoring costs might lead to unexpected high resource consumption + and a high invoice. + measure: Implement cost budgets. Setting of an alert threshold and sending out + errors when it is reached. In the best case, a second threshold with a limit + is set so that the cost can not go higher. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple application metrics + - Simple system metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Screens with metric visualization: + uuid: 8746647c-638c-473f-8e17-82c068e4c311 + risk: Security related information is discovered too late during an incident. + measure: By having an internal accessible screen with a security related dashboards + helps to visualize incidents. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 5 + level: 4 + dependsOn: + - Grouping of metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple application metrics: + uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 + risk: Attacks on an application are not recognized. + measure: |- + Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: + - Authentication attempts (successful/failed logins) + - Transaction volumes and patterns (e.g. orders, payments) + - API call rates and response times + - User session metrics + - Resource utilization + + Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either: + - A legitimate event (unannounced marketing campaign, viral social media post) + - A security incident (automated bulk purchase bots, credential stuffing attack) + + By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c + name: Prometheus + tags: [] + url: https://prometheus.io/ + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.4.1 + iso27001-2022: + - 8.15 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple budget metrics: + uuid: f08a3219-6941-43ec-8762-4aff739f4664 + risk: Not getting notified about reaching the end of the budget (e.g. due to + a denial of service) creates unexpected costs. + measure: Cloud providers often provide insight into budgets. A threshold and + alarming for the budget is set. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 5 + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple system metrics: + uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 + risk: Without simple metrics analysis of incidents are hard. In case an application + uses a lot of CPU from time to time, it is hard for a developer to find out + the source with Linux commands. + measure: Gathering of system metrics helps to identify incidents and specially + bottlenecks like in CPU usage, memory usage and hard disk usage. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 5 + assessment: | + Are system metrics gathered? + level: 1 + implementation: + - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 + name: collected + tags: [] + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Targeted alerting: + uuid: d6f06ae8-401a-4f44-85df-1079247fa030 + risk: People are bored (ignorant) of incident alarm messages, as they are not + responsible to react. + measure: By the definition of target groups for incidents people are only getting + alarms for incidents they are in charge for. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 5 + usefulness: 5 + level: 3 + dependsOn: + - Alerting + implementation: [] + references: + samm2: + - I-DM-A 3 + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Visualized metrics: + uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + risk: Not visualized metrics lead to restricted usage of metrics. + measure: Metrics are visualized in real time in a user friendly way. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple application metrics + - Simple system metrics + implementation: [] + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test KPI: + Fix rate per repo/product: + uuid: cf0d600e-114d-4887-9059-d81c53805f0d + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of the number of vulnerabilities handled + per severity level for components such as applications, ensuring alignment + with SLAs. \nThe rate should be broken down by team, product, application, + repository, and/or service. This analysis should be conducted at least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/cf0d600e-114d-4887-9059-d81c53805f0d + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Generation of response statistics: + uuid: c922981b-65ed-40f3-a947-96fee9a0125f + risk: No or delayed reaction to findings leads to potential exploitation of + findings. + measure: Creation and response statistics (e.g. Mean Time to Resolution) of + findings. This is also referred to as _Mean Time to Resolve_. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + dependsOn: + - Usage of a vulnerability management system + level: 3 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/c922981b-65ed-40f3-a947-96fee9a0125f + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client) + generates statistics from OWASP DefectDojo and places the results in a [Github + repository](https://github.com/pagel-pro/cluster-image-scanner-all-results). + teamsImplemented: + Default: false + B: false + C: false + Number of vulnerabilities/severity: + uuid: bc548cba-cb82-4f76-bd4b-325d9d256279 + risk: Failing to convey the number of vulnerabilities by severity might undermine + the effectiveness of product teams. This might lead to ignorance of findings. + measure: Measurement and communication of vulnerabilities per severity for components + like applications. At least quarterly. + description: |- + Communication can be performed in a simple way, e.g. text based during the build process. + This activity depends on at least one security testing implementation. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: [] + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/bc548cba-cb82-4f76-bd4b-325d9d256279 + tags: + - vulnerability-mgmt + - metrics + - vmm-measurement + teamsImplemented: + Default: false + B: false + C: false + Number of vulnerabilities/severity/layer: + uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad + risk: Failing to convey the number of vulnerabilities by severity and layer + (app/infra) might undermine the effectiveness of product teams. This might + lead to ignorance of findings. + measure: Measurement and communication of vulnerabilities per severity for components + like applications and split it depending on the layer (e.g. app/infra). At + least quarterly. + description: |- + Communication can be performed in a simple way, e.g. text based during the build process. + This activity depends on at least one security testing implementation. + Layers to consider (SCA): + - Cloud provider (if insights are possible) + - Runtimes, e.g. Kubernetes nodes + - Base images and container images + - Application + + Layers to consider SAST/DAST: + - Cloud provider + - Runtime, e.g. Kubernetes + - Base images and container images + - Application + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: [] + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad + tags: + - vulnerability-mgmt + - metrics + - vmm-measurement + teamsImplemented: + Default: false + B: false + C: false + Patching mean time to resolution via PR: + uuid: 86d490b9-d798-4a5b-a011-ab9688014c46 + risk: Without measuring Mean Time to Resolution (MTTR) related to patching, + it is challenging to identify delays in the patching process. Unaddressed + vulnerabilities can be exploited by attackers, leading to potential security + breaches and data loss. + measure: "Measurement and communication of patching Mean Time to Resolution + (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least + on a quarterly basis.\nThis includes the measurement of the existence of a + properly configured automated pull request (PR) tool (e.g., Dependabot or + Renovate) in a repository. \nIn addition, the measurement of the time from + opening an automated PR to merging it.\n\nAverage time to patch is visualized + per component/project/team." + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Automated PRs for patches + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/86d490b9-d798-4a5b-a011-ab9688014c46 + tags: + - patching + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Patching mean time to resolution via production: + uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + risk: Without measuring Mean Time to Resolution (MTTR) related to patching, + it is challenging to identify delays in the patching process. Unaddressed + vulnerabilities can be exploited by attackers, leading to potential security + breaches and data loss. + measure: |- + Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis. + Average time to patch is visualized per component/project/team. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Patching mean time to resolution via PR + - Automated PRs for patches + implementation: [] + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f + tags: + - patching + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + SLA per criticality: + uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f + risk: "Not communicating how many applications are adhering to SLAs based on + the criticality of vulnerabilities can lead to delayed remediation of \ncritical + security issues, increasing the risk of exploitation and potential damage + to the organization." + measure: "Measurement and communication of how many of the vulnerabilities handling + per severity for components like applications are aligned to SLAs. \nThis + is performed for the hole organization and doesn't need to be broken down + (yet) on team/product/application. \nAt least quarterly." + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test + KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false +Test and Verification: + Application tests: + High coverage of security related module and integration tests: + uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment in not important components. + measure: Implementation of security related tests via unit tests and integration + tests. Including the test of libraries, in case the are not tested already. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 3 + usefulness: 3 + level: 5 + implementation: [] + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security integration tests for important components: + uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + risk: Vulnerabilities are rising due to code changes in a complex microservice + environment. + measure: Implementation of essential security related integration tests. For + example for authentication and authorization. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 2 + level: 3 + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Security unit tests for important components: + uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 + risk: Vulnerabilities are rising due to code changes. + measure: Usage of unit tests to test important security related features like + authentication and authorization. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 2 + usefulness: 3 + level: 2 + comments: | + The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked. + A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9. + implementation: + - uuid: cc2eec82-f3a7-4ae5-9ccb-3d75352b2e4d + name: JUnit + tags: + - unittest + url: https://junit.org/junit5/ + - uuid: fd56720a-ad4b-487c-b4c3-897a688672c4 + name: Karma + tags: [] + url: https://karma-runner.github.io + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Smoke Test: + uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a + risk: During a deployment an error might happen which leads to non-availability + of the system, a part of the system or a feature. + measure: Integration tests are performed against the production environment + after each deployment. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 2 + level: 4 + implementation: [] + dependsOn: + - Defined deployment process + references: + samm2: + - V-ST-3-B + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application + tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Consolidation: + Advanced visualization of defects: + uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876 + risk: Correlation of the vulnerabilities of different tools to have an overview + of the the overall security level per component/project/team is not given. + measure: Findings are visualized per component/project/team. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 1 + usefulness: 2 + level: 4 + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Fix based on accessibility: + uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed + risk: Overwhelming volume of security findings from automated testing tools. + This might lead to ignorance of findings. + measure: Implement a simple risk-based prioritization framework for vulnerability + remediation based on accessibility of the applications. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + meta: + implementationGuide: |- + Develop a scoring system for asset accessibility, considering factors like: + - Whether the asset is internet-facing (highly recommended) + - The number of network hops required to reach the asset (recommended) + - Authentication requirements for access (recommended) + dependsOn: + - Treatment of defects with severity high or higher + - Inventory of production components + implementation: ~ + references: + samm2: + - I-DM-3-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Integration in development process: + uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d + risk: "Not integrating vulnerability handling into the development process may + result in product teams ignoring findings. \n\nSecurity joke: We will gain + 100% false negatives." + measure: Integration of findings into the development process. E.g. adding findings + to the backlog of products teams. + description: |- + Validating Findings by Security Engineers Pros: + - Ensures accuracy and relevance of findings before they reach product teams + - Reduces false positives, saving development teams time and effort + - Might provides a layer of expertise in assessing the severity and impact of vulnerabilities + + Validating Findings by Security Engineers Cons: + - Requires a sufficient number of skilled security engineers, which might be challenging for some organizations + - May slow down the process if security engineers are overloaded with validation tasks + - For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application + + Pushing Findings Directly to Product Teams Pros: + - Accelerates the process by immediately notifying product teams of potential vulnerabilities + - Empowers product teams to take swift action in addressing security issues + Pushing Findings Directly to Product Teams Cons: + - Increases the workload on product teams, potentially leading to frustration + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 889444eb-de68-4367-bada-a66f8cb9733a + name: Jira + tags: + - documentation + - issue + - proprietary + url: https://jira.atlassian.com/ + description: Jira is a bug tracking and project management tool developed + by Atlassian, used by development teams for tracking issues, planning sprints, + and managing software releases. It offers features for creating and managing + tasks, assigning them to team members, and monitoring progress through customizable + workflows and dashboards. + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d + tags: + - vulnerability-mgmt + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Integration of vulnerability issues into the development process: + uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e + risk: To read console output of the build server to search for vulnerabilities + might be difficult. Also, to check a vulnerability management system might + not be a daily task for a developer. + measure: Vulnerabilities are tracked in the teams issue system (e.g. jira). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 2 + level: 3 + implementation: + - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a + name: SAST + tags: [] + description: 'At SAST (Static Application Security Testing): Server-side / + client-side teams can easily be recorded. With microservice architecture + individual microservices can be used usually Teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/ + - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609 + name: DAST + tags: [] + description: 'At DAST (Dynamic Application Security Testing): vulnerabilities + are classified and can be assigned to server-side and client-side teams.' + url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/ + references: + samm2: + - I-DM-2-B + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.4 + - 16.1.5 + - 16.1.6 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.25 + - 5.26 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Reproducible defect tickets: + uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39 + risk: Vulnerability descriptions are hard to understand by staff from operations + and development. + measure: Vulnerabilities include the test procedure to give the staff from operations + and development the ability to reproduce vulnerabilities. This enhances the + understanding of vulnerabilities and therefore the fix have a higher quality. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple false positive treatment: + uuid: c1acc8af-312e-4503-a817-a26220c993a0 + risk: As false positive occur during each test, all vulnerabilities might be + ignored. Specially, if tests are automated an run daily. + measure: |- + Findings from security tests must be triaged and outcomes persisted/documented to: + - Prevent re-analysis of known issues in subsequent test runs + - Track accepted risks vs false positives + - Enable consistent decision-making across teams + + At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. + + Samples for false positive handling: + - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) + - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) + - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 4 + level: 1 + implementation: + - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c + name: OWASP Defect Dojo + tags: [] + url: https://github.com/DefectDojo/django-DefectDojo + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + references: + samm2: + - I-DM-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 16.1.6 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple visualization of defects: + uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83 + risk: The security level of a component is not visible. Therefore, the motivation + to enhance the security is not give. + measure: Vulnerabilities are simple visualized. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81 + name: LogParser Jenkins Plugins + tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + references: + samm2: + - I-DM-1-B + iso27001-2017: + - 16.1.4 + - 8.2.1 + - 8.2.2 + - 8.2.3 + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Treatment of all defects: + uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d + risk: Vulnerabilities with severity low are not visible. + measure: All vulnerabilities are added to the quality gate. + difficultyOfImplementation: + knowledge: 3 + time: 4 + resources: 1 + usefulness: 2 + level: 5 + implementation: [] + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d + tags: + - vuln-action + - defect-management + comments: "" + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects per protection requirement: + uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969 + risk: "Not defining the protection requirement of applications can lead to wrong + prioritization, delayed remediation of \ncritical security issues, increasing + the risk of exploitation and potential damage to the organization." + measure: "Defining the protection requirement and the corresponding handling + of vulnerabilities per severity for components like applications are aligned + to SLAs. \n This is performed for the hole organization and doesn't need to + be broken down (yet) on team/product/application. \n At least quarterly." + description: |- + The protection requirements for an application should consider: + - Data criticality + - Application accessibility (internal vs. external) + - Regulatory compliance + - Other relevant factors + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde + name: Business friendly vulnerability management metrics + url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 + tags: + - documentation + - vulnerability + - vulnerability management system + - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f + name: DefectDojo Client + tags: + - Defectdojo + - statistics + url: https://github.com/SDA-SE/defectdojo-client + description: | + This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. + references: + samm2: + - I-DM-3-B + iso27001-2022: + - 5.25 + - 5.12 + - 5.13 + - 5.1 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969 + tags: + - vulnerability-mgmt + - metrics + - vmm-measurements + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects with severity high or higher: + uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + risk: Vulnerabilities with severity high or higher are not visible. + measure: Vulnerabilities with severity high or higher are added to the quality + gate. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 1 + comments: False positive analysis, specially for static analysis, is time consuming. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 + implementation: [] + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Treatment of defects with severity middle: + uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594 + risk: Vulnerabilities with severity middle are not visible. + measure: Vulnerabilities with severity middle are added to the quality gate. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + comments: False positive analysis, specially for static analysis, is time consuming. + references: + samm2: + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 12.6.1 + iso27001-2022: + - 8.8 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594 + implementation: [] + tags: + - vuln-action + - defect-management + teamsImplemented: + Default: false + B: false + C: false + Usage of a vulnerability management system: + uuid: 85ba5623-84be-4219-8892-808837be582d + risk: Maintenance of false positives in each tool enforces a high workload. + In addition a correlation of the same finding from different tools is not + possible. + measure: Aggregation of vulnerabilities in one tool reduce the workload to handle + them, e.g. mark as false positives. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 2 + dependsOn: + - Exploit likelihood estimation + - Each team has a security champion + - Office Hours + level: 3 + description: "For known vulnerabilities a processes to estimate the exploit + ability of a vulnerability is recommended.\n\nTo implement a security culture + including training, office hours and security champions can help integrating + \nsecurity scanning at scale. Such activities help to understand why a vulnerability + is potentially critical and needs handling." + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3 + name: SecObserve + tags: + - vulnerability management system + url: https://github.com/MaibornWolff/SecObserve + description: | + The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. + references: + samm2: + - I-DM-1-B + iso27001-2017: + - 12.6.1 + - 16.1.3 + - 16.1.4 + - 16.1.5 + - 16.1.6 + iso27001-2022: + - 8.8 + - 6.8 + - 5.25 + - 5.26 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dynamic depth for applications: + Coverage analysis: + uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + risk: Parts of the service are not still covered by tests. + measure: Check that there are no missing paths in the application with coverage-tools. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 3 + usefulness: 4 + level: 5 + implementation: + - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366 + name: OWASP Code Pulse + tags: [] + url: https://www.owasp.org/index.php/OWASP_Code_Pulse + - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32 + name: Coverage.py + tags: + - testing + - coverage + url: https://github.com/nedbat/coveragepy + description: | + Code coverage measurement for Python + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + - part of periodic review, PDCA + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of client side dynamic components: + uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e + risk: Parts of the service are not covered during the scan, because JavaScript + is not getting executed. Therefore, the coverage of client-side dynamic components + is limited, leading to potential security risks and undetected vulnerabilities. + measure: Usage of a spider which executes dynamic content like JavaScript, e.g. + via Selenium. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 4 + level: 2 + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e + implementation: + - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb + name: Ajax Spider + tags: [] + url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of hidden endpoints: + uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8 + risk: Hidden endpoints of the service are not getting tracked. + measure: Hidden endpoints are getting detected and included in the vulnerability + scan. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 1 + usefulness: 5 + level: 3 + implementation: + - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b + name: cURL + tags: [] + url: https://curl.se/ + - uuid: 7ce77258-bf65-4e7a-9627-daf765ee1d77 + name: OpenAPI Specifications + tags: [] + url: https://spec.openapis.org/ + - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 + name: OWASP Zap + tags: + - vulnerability + - scanner + url: https://github.com/zaproxy/zaproxy + description: | + The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... + - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b + name: Schemathesis + tags: + - testing + - api + - documentation + url: https://github.com/schemathesis/schemathesis + description: | + Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of more input vectors: + uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc + risk: Parts of the service are not covered. For example specially formatted + or coded parameters are not getting detected as parameter (e.g. parameters + in REST-like URLs, parameters in JSON-Format or base64-coded parameters). + measure: Special parameter and special encodings are defined, so that they get + fuzzed by the used vulnerability scanners. + difficultyOfImplementation: + knowledge: 5 + time: 5 + resources: 1 + usefulness: 4 + level: 3 + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc + implementation: + - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b + name: Schemathesis + tags: + - testing + - api + - documentation + url: https://github.com/schemathesis/schemathesis + description: | + Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of sequential operations: + uuid: 845f06ec-148c-4c67-9755-7041911dcca5 + risk: Sequential operations like workflows (e.g. login -> put products in the + basket + measure: Sequential operations are defined and checked by the vulnerability + scanner in the defined order. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 5 + level: 3 + implementation: + - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b + name: cURL + tags: [] + url: https://curl.se/ + dependsOn: + - Usage of different roles + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.8 + - 14.2.3 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/845f06ec-148c-4c67-9755-7041911dcca5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Coverage of service to service communication: + uuid: 22aab0ef-76ce-4b8c-979c-3699784330db + risk: Service to service communication is not covered. + measure: Service to service communication is dumped and checked. + difficultyOfImplementation: + knowledge: 4 + time: 5 + resources: 2 + usefulness: 3 + level: 5 + dependsOn: + - Simple Scan + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db + implementation: + - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2 + name: Citrus Fresh Integration Testing + tags: + - framework + - testing + url: https://citrusframework.org/ + description: Integration Test framework with focus on messaging applications + and Microservices. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Simple Scan: + uuid: 07796811-37f9-467c-9ff2-48f346e77ff3 + risk: Deficient security tests are performed. Simple vulnerabilities are not + detected and missing security configurations (e.g. headers) are not set. Fast + feedback is not given. + measure: A simple scan is performed to get a security baseline. In case the + test is done in under 10 minutes, it should be part of the build and deployment + process. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 1 + level: 2 + dependsOn: + - Defined build process + implementation: + - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 + name: OWASP Zap + tags: + - vulnerability + - scanner + url: https://github.com/zaproxy/zaproxy + description: | + The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... + - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63 + name: Arachni + url: https://github.com/Arachni/arachni + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of different roles: + uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750 + risk: Parts of the service are not covered during the scan, because a login + is not performed. + measure: Integration of authentication with all roles used in the service. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 2 + level: 2 + dependsOn: + - Simple Scan + references: + samm2: + - V-ST-2-A + iso27001-2017: + - not explicitly covered by ISO 27001 - too specific + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750 + implementation: + - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3 + name: Zest + url: https://www.zaproxy.org/docs/desktop/addons/zest/ + tags: + - zap + description: | + Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. + assessment: For REST APIs, multiple OAuth2 scopes are used. + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Usage of multiple scanners: + uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + risk: Each vulnerability scanner has different opportunities. By using just + one scanner, some vulnerabilities might not be found. + measure: Usage of multiple spiders and scanner enhance the coverage and the + vulnerabilities. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 1 + level: 4 + dependsOn: + - Usage of different roles + implementation: + - uuid: f220b299-0917-4750-96c5-d81cd402b4df + name: OWASP secureCodeBox + tags: + - vulnerability + - scanner-orchestration + url: https://github.com/secureCodeBox/secureCodeBox + description: | + secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dynamic depth for infrastructure: + Load tests: + uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd + risk: As it is unknown how many requests the systems and applications can serve, + due to an unexpected load the availability is disturbed. + measure: Load test against the production system or a production near system + is performed. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 5 + usefulness: 3 + level: 4 + implementation: [] + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.6 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for exposed services: + uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + risk: Standard network segmentation and firewalling has not been performed, + leading to world open cluster management ports. + measure: With the help of tools the network configuration of unintentional exposed + cluster(s) are tested. To identify clusters, all subdomains might need to + be identified with a tool like OWASP Amass to perform port scans based o the + result. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 2 + dependsOn: + - Isolated networks for virtual environments + usefulness: 2 + level: 2 + implementation: + - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882 + name: nmap + tags: [] + url: https://nmap.org/ + - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a + name: OWASP Amass + tags: [] + url: https://github.com/OWASP/Amass + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for unauthorized installation: + uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a + risk: Unapproved components are used. + measure: Components must be whitelisted. Regular scans on the docker infrastructure + (e.g. cluster) need to be performed, to verify that only standardized base + images are used. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 349cf64c-abea-40bb-bd07-9c98ce648fa4 + name: 'Example: All docker images used by teams need to be based on standard + images.' + tags: [] + comments: By preventing teams from trying out new components, innovation might + be hampered + references: + samm2: [] + iso27001-2017: + - 12.5.1 + - 12.6.1 + iso27001-2022: + - 8.19 + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a + dependsOn: + - Evaluation of the trust of used components + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for unused Resources: + uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4 + risk: Unused resources, specially secrets, might be still valid, but are exposing + information. As an attacker, I compromise a system, gather credentials and + try to use them. + measure: Test for unused resources helps to identify unused resources. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 5 + implementation: + - uuid: 8fea20ad-e332-4aa8-b1f1-aa9deb635dc1 + name: K8sPurger + tags: + - vulnerability + - scanner + - dast + - infrastructure + url: https://github.com/yogeshkk/K8sPurger + description: | + Hunt Unused Resources In Kubernetes. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test network segmentation: + uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01 + risk: Wrong or no network segmentation of pods makes it easier for an attacker + to access a database and extract or modify data. + measure: Cluster internal test needs to be performed. Integration of fine granulated + network segmentation (also between pods in the same namespace). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c + name: netassert + tags: [] + url: https://github.com/controlplaneio/netassert + dependsOn: + - Isolated networks for virtual environments + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 13.1.3 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - 8.22 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of the configuration of cloud environments: + uuid: 7bb70764-9392-4462-935d-e55b2e148199 + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools the configuration of virtual environments are + tested. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: 893d9f37-2142-4490-996c-e43b55064d3d + name: kubescape + url: https://github.com/armosec/kubescape + tags: + - kubernetes + - vulnerability + - misconfiguration + description: _Testing if Kubernetes is deployed securely as defined in Kubernetes + Hardening Guidance by to NSA and CISA_ + - uuid: 2af7204c-a25c-4625-9775-889978386407 + name: kube-hunter + tags: [] + url: https://github.com/aquasecurity/kube-hunter + - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f + name: openVAS + tags: [] + url: https://www.openvas.org/ + references: + samm2: [] + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Weak password test: + uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f + risk: Weak passwords in components like applications or systems, specially for + privileged accounts, lead to take over of that account. + measure: Automatic brute force attacks are performed. Specially the usage of + standard accounts like 'admin' and employee user-ids is recommended. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 1 + level: 3 + implementation: + - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce + name: HTC Hydra + tags: + - password + url: https://www.htc-cs.com/en/products/htc-hydra/ + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 9.4.3 + iso27001-2022: + - 5.17 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic + depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static depth for applications: + API design validation: + uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99 + risk: Creation of insecure or non-compliant API. + measure: | + Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP + and validate the specification using specific tools. + Checks should be integrated in IDEs and CI/CD pipelines. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 261f243e-f89c-4169-b076-b22a03ec00be + name: Spectral + tags: + - linting + - api + - documentation + url: https://github.com/stoplightio/spectral + description: | + Spectral is a flexible JSON/YAML linter built with extensibility in mind. + It uses JSON/YAML path rules to describe the problems you want to find. + - uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f + name: API OAS Checker + tags: + - linting + - api + - documentation + url: https://github.com/italia/api-oas-checker + description: | + A tool to check OpenAPI specifications using a comprehensive ruleset based + on API best practices. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.25 + - 8.27 + - 8.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 + dependsOn: + - Inventory of production components + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Dead code elimination: + uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d + risk: Dead code increases the attack surface (use of hard coded credentials + and variables, sensitive information) + measure: Collection of unused code and then manual removal of unused code. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Exclusion of source code duplicates: + uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 + risk: Duplicates in source code might influence the stability of the application. + measure: Automatic Detection and manual removal of duplicates in source code. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Exploit likelihood estimation: + uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + risk: Without proper prioritization, organizations may waste time and effort + on low-risk vulnerabilities while neglecting critical ones. + measure: Estimate the likelihood of exploitation by using data (CISA KEV) from + the past or prediction models (EPSS). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Software Composition Analysis (server side) + implementation: + - uuid: aa507341-9531-42cd-95cf-d7b51af47086 + name: Known Exploited Vulnerabilities + tags: + - vulnerability + url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog + description: A catalog of vulnerabilities that have been exploited. + - uuid: e39afc58-8195-4600-92c6-11922e3a141b + name: Exploit Prediction Scoring System + tags: + - vulnerability + url: https://www.first.org/epss/ + description: Estimates the likelihood that a software vulnerability will be + exploited. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Local development security checks performed: + uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b + risk: Creating and developing code contains code smells and quality issues. + measure: | + Integration of quality and linting plugins with interactive development environment (IDEs). + Implement pre-commit checks to prevent secrets & other security issues being commit to source code. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + - uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82 + name: DevSecOps control Pre-commit + url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop + tags: + - pre-commit + - uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb + name: Building your DevSecOps pipeline 5 essential activities + url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/ + tags: + - pre-commit + references: + samm2: + - V-ST-1-A + iso27001-2017: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 13.1.3 + iso27001-2022: + - Hardening is not explicitly covered by ISO 27001 - too specific + - 8.22 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis (client side): + uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86 + risk: Client side components might have vulnerabilities. + measure: Tests for known vulnerabilities in components via Software Composition + Analysis of the frontend are performed. + difficultyOfImplementation: + knowledge: 1 + time: 2 + resources: 1 + usefulness: 2 + level: 3 + dependsOn: + - Defined build process + - Inventory of production components + - Exploit likelihood estimation + implementation: + - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 + name: retire.js + tags: [] + url: https://github.com/RetireJS/retire.js/ + - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 + name: npm audit + tags: [] + url: https://docs.npmjs.com/cli/audit + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 + name: Dependabot + tags: + - dependency + - dependency-management + - scm + url: https://github.com/dependabot/dependabot-core + description: | + Dependabot creates pull requests to keep your dependencies secure and up-to-date. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis (server side): + uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe + description: Use a tool like trivy and concentrate on application related vulnerabilities. + At this stage, ignore vulnerabilities in container base images used in the + service. + risk: Server side components might have vulnerabilities. + measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware) + are performed. + difficultyOfImplementation: + knowledge: 1 + time: 3 + resources: 1 + usefulness: 5 + level: 2 + dependsOn: + - Defined build process + - Inventory of production components + implementation: + - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 + name: OWASP Dependency Check + tags: + - OpenSource + - Supply Chain + - vulnerability + url: https://owasp.org/www-project-dependency-check/ + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 + name: retire.js + tags: [] + url: https://github.com/RetireJS/retire.js/ + - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 + name: npm audit + tags: [] + url: https://docs.npmjs.com/cli/audit + - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 + name: Dependabot + tags: + - dependency + - dependency-management + - scm + url: https://github.com/dependabot/dependabot-core + description: | + Dependabot creates pull requests to keep your dependencies secure and up-to-date. + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy + tags: [] + url: https://github.com/aquasecurity/trivy + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe + tags: + - vmm-testing + teamsImplemented: + Default: false + B: false + C: false + Static analysis for all components/libraries: + uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + risk: Used components like libraries and legacy applications might have vulnerabilities + measure: Usage of a static analysis for all used components. + difficultyOfImplementation: + knowledge: 2 + time: 4 + resources: 2 + usefulness: 3 + level: 5 + dependsOn: + - Static analysis for important client side components + - Static analysis for important server side components + - Inventory of production components + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for all self written components: + uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84 + risk: Parts in the source code of the frontend or middleware have vulnerabilities. + measure: Usage of static analysis tools for all parts of the middleware and + frontend. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 4 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Static analysis for important client side components + - Static analysis for important server side components + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for important client side components: + uuid: e237176b-bec5-447d-a926-e37d6dd60e4b + risk: Important parts in the source code of the frontend have vulnerabilities. + measure: Usage of static analysis tools for important parts of the frontend + are used. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75 + name: '[bdd-mobile-security' + tags: [] + url: https://github.com/ing-bank/bdd-mobile-security-automation-framework + description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)' + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Defined build process + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static analysis for important server side components: + uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4 + risk: Important parts in the source code of the middleware have vulnerabilities. + measure: Usage of static analysis tools for important parts of the middleware + are used. Static analysis uses for example string matching algorithms and/or + dataflow analysis. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 3 + implementation: + - uuid: 6a0948a7-4781-4858-9766-f4303971b28b + name: eslint + tags: [] + url: https://eslint.org/ + - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 + name: FindSecurityBugs + tags: [] + - uuid: cccc2882-62ab-4175-afa1-58471017e8ed + name: jsprime + tags: [] + url: https://github.com/dpnishant/jsprime + - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 + name: Fortify Extension for Visual Studio Code + url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code + tags: + - ide + - sast + - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 + name: Setting Up the Visual Studio Code Extension Plugin + url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin + tags: + - ide + - sast + - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb + name: HCL AppScan CodeSweep + url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep + tags: + - ide + - sast + dependsOn: + - Defined build process + - Inventory of production components + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Stylistic analysis: + uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + risk: Unclear or obfuscated code might have unexpected behavior. + measure: Analysis of compliance to style guides of the source code ensures that + source code formatting rules are met (e.g. indentation, loops, ...). + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 5 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe + name: How to enforce a consistent coding style in your projects + url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm + tags: + - ide + - linting + - uuid: aa5ded61-5380-4da6-9474-afc36a397682 + name: In-Depth Linting of Your TypeScript While Coding + url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding + tags: + - ide + - linting + - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f + name: Super-Linter + tags: + - linting + - scm + url: https://github.com/github/super-linter + description: | + Lint code bases to catch common errors and enforce code style + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for Patch Deployment Time: + uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: | + Test of the Patch Deployment Time. + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 3 + level: 3 + implementation: + - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb + name: PMD + tags: [] + dependsOn: + - Automated PRs for patches + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 + comments: "" + meta: + implementationGuide: Self implementation. This activity is not repeated in + the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure + as well. + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Test for Time to Patch: + uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f + risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities + in production artifacts. + measure: |- + Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) + This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 + name: dependabot + tags: + - auto-pr + - patching + url: https://dependabot.com/ + - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 + name: renovate + tags: + - auto-pr + - patching + url: https://github.com/renovatebot/renovate + dependsOn: + - Automated PRs for patches + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f + comments: "" + meta: + implementationGuide: Usage of a version control platform API (e.g. github + API) can be used to fetch the information. Consider that `Measure libyears` + might be an alternative to this activity. + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Test libyear: + uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad + risk: Vulnerabilities in running artifacts stay for long and might get exploited. + measure: Test `libyear`, which provides a good insight how good patch management + is. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 3 + level: 2 + implementation: + - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 + name: libyear + tags: + - patching + - build + url: https://libyear.com/ + description: A simple measure of software dependency freshness. It is a single + number telling you how up-to-date your dependencies are. + dependsOn: + - Defined build process + references: + samm2: + - V-ST-2-A + iso27001-2017: + - Not explicitly covered by ISO 27001 - too specific + - 14.2.1 + - 14.2.5 + iso27001-2022: + - Not explicitly covered by ISO 27001 - too specific + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad + comments: "" + meta: + implementationGuide: | + `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached. + An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation). + tags: + - patching + teamsImplemented: + Default: false + B: false + C: false + Usage of multiple analyzers: + uuid: 297be001-8d94-41ee-ab29-207020d423c0 + risk: Each vulnerability analyzer has different opportunities. By using just + one analyzer, some vulnerabilities might not be found. + measure: Usage of multiple static tools to find more vulnerabilities. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 1 + level: 4 + dependsOn: + - Software Composition Analysis (server side) + - Software Composition Analysis (client side) + - Static analysis for all self written components + implementation: [] + references: + samm2: + - V-ST-3-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for applications/297be001-8d94-41ee-ab29-207020d423c0 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Static depth for infrastructure: + Analyze logs: + uuid: b217c8bb-5d61-4b41-a675-1083993f83b1 + risk: Not aware of attacks happening. + measure: Check logs for keywords. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2 + name: SigmaHQ + tags: [] + url: https://github.com/SigmaHQ/sigma + references: + samm2: [] + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Correlate known vulnerabilities in infrastructure with new image versions: + uuid: 7de0ae33-6538-45cd-8222-a1475647ba58 + risk: TODO. + measure: TODO + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 4 + usefulness: 1 + level: 4 + dependsOn: + - Usage of a maximum lifetime for images + implementation: + - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc + name: Anchore.io + tags: [] + url: https://anchore.com/ + - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 + name: Clair + tags: [] + url: https://github.com/quay/clair + - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 + name: OpenSCAP + tags: [] + url: https://www.open-scap.org/ + - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 + name: Vuls + tags: [] + url: https://github.com/future-architect/vuls + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + iso27001-2022: + - 8.8 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Software Composition Analysis: + uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad + risk: Known vulnerabilities in infrastructure components like container images + might get exploited. + measure: Check for known vulnerabilities + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 4 + level: 4 + description: Subscribing to Github projects and reading release notes might + help. Software Composition Analysis for infrastructure might help, but is + often too fine-granular. + implementation: + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: https://github.com/aquasecurity/trivy + tags: [] + url: https://github.com/aquasecurity/trivy + - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 + name: Registries like quay + tags: [] + description: Registries like quay, dockerhub provide (commercial) offerings, + often not suitable for distroless images + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + iso27001-2022: + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test cluster deployment resources: + uuid: 621fb6a5-5c0a-4408-826a-068868bb031b + risk: The deployment configuration (e.g. kubernetes deployment resources) might + contain unsecured configurations. + measure: Test the deployment configuration for virtualized environments for + unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 1e58f8d2-61e2-45bb-a17c-51516d0cc9ba + name: kubesec + tags: [] + url: https://kubesec.io + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for image lifetime: + uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b + risk: Old container images in production indicate that patch management is not + performed and therefore vulnerabilities might exists. + measure: Check the image age of containers in production. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 1 + usefulness: 2 + level: 2 + implementation: + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for malware: + uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d + risk: Third party might include malware. Ether due to the maintainer (e.g. + typo squatting of an image name and using the wrong image) or by an attacker + on behalf of the maintainer with stolen credentials. + measure: Check for malware in components (e.g. container images, VM baseline + images, libraries). + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.2.1 + iso27001-2022: + - 8.7 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for new image version: + uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + risk: When a new version of an image is available, it might fix security vulnerabilities. + measure: Check for new images of containers in production. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 1 + usefulness: 2 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.5 + - 12.2.1 + iso27001-2022: + - 8.8 + - 8.7 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for stored secrets: + uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c + risk: Stored secrets in git history, in container images or directly in code + shouldn't exists because they might be exposed to unauthorized parties. + measure: Test for secrets in code, container images and history + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog + tags: [] + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries + tags: [] + url: https://github.com/nccgroup/go-pillage-registries + references: + samm2: + - V-ST-1-A + iso27001-2017: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 + iso27001-2022: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of infrastructure components for known vulnerabilities: + uuid: 13367d8f-e37f-4197-a610-9ffca4fde261 + risk: Infrastructure components might have vulnerabilities. + measure: Test for known vulnerabilities in infrastructure components. Often, + the only way to respond to known vulnerabilities in operating system packages + is to accept the risk and wait for a patch. As the patch needs to be applied + fast when it is available, this activity depends on 'Usage of a maximum life + for images'. + difficultyOfImplementation: + knowledge: 2 + time: 5 + resources: 2 + usefulness: 1 + level: 4 + dependsOn: + - Usage of a maximum lifetime for images + implementation: + - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc + name: Anchore.io + tags: [] + url: https://anchore.com/ + - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 + name: Clair + tags: [] + url: https://github.com/quay/clair + - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 + name: OpenSCAP + tags: [] + url: https://www.open-scap.org/ + - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 + name: Vuls + tags: [] + url: https://github.com/future-architect/vuls + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + iso27001-2022: + - 8.8 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test of virtualized environments: + uuid: 58825d22-1ce6-4748-af81-0ec9956e4129 + risk: Virtualized environments (e.g. via Container Images) might contains + unsecure configurations. + measure: Test virtualized environments for unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + implementation: + - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5 + name: Dive to inspect a container images + tags: [] + url: https://github.com/wagoodman/dive + - url: https://github.com/SDA-SE/clusterscanner + uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f + name: ClusterScanner + tags: + - docker + - image + - container + - vulnerability + - misconfiguration + - security-tools + - scanning + description: Discover vulnerabilities and container image misconfiguration + in production environments. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - ISO 27001:2017 mapping is missing + iso27001-2022: + - ISO 27001:2022 mapping is missing + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test the cloud configuration: + uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + risk: Standard hardening practices for cloud environments are not performed + leading to vulnerabilities. + measure: With the help of tools, the configuration of virtual environments are + tested. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 1 + usefulness: 4 + level: 2 + implementation: + - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055 + name: kube-bench + tags: [] + url: https://github.com/aquasecurity/kube-bench + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + iso27001-2022: + - System hardening is not explicitly covered by ISO 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test the definition of virtualized environments: + uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e + risk: The definition of virtualized environments (e.g. via Dockerfile) + might contain unsecure configurations. + measure: Test the definition of virtualized environments for unsecured configurations. + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 3 + level: 2 + meta: + implementationGuide: For containier (images), test that the images are following + best practices like distroless or non-root. + implementation: + - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005 + name: Dockerfile with hadolint + tags: [] + url: https://github.com/hadolint/hadolint + - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b + name: Deployment with kube-score + tags: [] + url: https://github.com/zegl/kube-score + - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30 + name: dockerfilelint + tags: + - sast + - docker + - dockerfile + url: https://github.com/replicatedhq/dockerfilelint + description: dockerfilelint is an node module that analyzes a Dockerfile and + looks for common traps, mistakes and helps enforce best practices. + references: + samm2: + - V-ST-1-A + iso27001-2017: + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 12.6.1 + - 14.2.3 + - 14.2.8 + - 14.2.1 + iso27001-2022: + - System hardening, virtual environments are not explicitly covered by ISO + 27001 - too specific + - 8.8 + - 8.32 + - 8.29 + - 8.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test-Intensity: + Creation and application of a testing concept: + uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe + risk: Scans might use a too small or too high test intensity. + measure: A testing concept considering the amount of time per scan/intensity + is created and applied. A dynamic analysis needs more time than a static analysis. + The dynamic scan, depending on the test intensity might be performed on every + commit, every night, every week or once in a month. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 2 + level: 4 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 14.2.2 + - 14.2.3 + - 14.2.1 + - 14.2.5 + - 12.6.1 + iso27001-2022: + - 8.25 + - 8.32 + - 8.27 + - 8.8 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Deactivating of unneeded tests: + uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 + risk: As tools cover a wide range of different vulnerability tests, they might + not match the used components. Therefore, they need more time and resources + as they need and the feedback loops takes too much time. + measure: Unneeded tests are deactivated. For example in case the service is + using a Mongo database and no mysql database, the dynamic scan doesn't need + to test for sql injections. + difficultyOfImplementation: + knowledge: 2 + time: 3 + resources: 1 + usefulness: 1 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Default settings for intensity: + uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + risk: Time pressure and ignorance might lead to false predictions for the test + intensity. + measure: The intensity of the used tools are not modified to save time. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 1 + level: 1 + implementation: [] + references: + samm2: + - V-ST-1-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + High test intensity: + uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10 + risk: A too small intensity or a too high confidence might lead to not visible + vulnerabilities. + measure: A deep scan with high test intensity and a low confidence threshold + is performed. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 5 + usefulness: 3 + level: 3 + implementation: [] + references: + samm2: + - V-ST-2-A + iso27001-2017: + - 12.6.1 + - 14.2.1 + - 14.2.5 + iso27001-2022: + - 8.8 + - 8.25 + - 8.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Regular automated tests: + uuid: 598897a2-358e-441f-984c-e12ec4f6110a + risk: After pushing source code to the version control system, any delay in + receiving feedback on defects makes them harder for the developer to remediate. + measure: On each push and/or at given intervals automatic security tests are + performed. + difficultyOfImplementation: + knowledge: 1 + time: 1 + resources: 1 + usefulness: 2 + level: 2 + implementation: [] + references: + samm2: + - I-SB-3-A + iso27001-2017: + - 14.2.3 + - 14.2.8 + - 14.2.9 + iso27001-2022: + - 8.32 + - 8.29 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false +... diff --git a/src/assets/YAML/meta.yaml b/src/assets/YAML/meta.yaml index e1b1b7e60..46622595f 100644 --- a/src/assets/YAML/meta.yaml +++ b/src/assets/YAML/meta.yaml @@ -1,28 +1,45 @@ --- +teamProgressFile: 'team-progress.yaml' +progressDefinition: + Backlog: 0% + # Planned: 10% + Started: 30% + Implemented: 100% +# progress: +# Low maturity: 0% +# Medium maturity: 40% +# High maturity: 100% + +allowChangeTeamNameInBrowser: true +teams: + $ref: 'default/teams.yaml#/teams' +teamGroups: + $ref: 'default/teams.yaml#/teamGroups' + +activityFiles: + # - generated/generated.yaml + - default/activities.yaml + # - custom/custom-activities.yaml # For customizing your own activities + # - custom/test-ignore-activities.yaml + + # # Various strings and messages # +lang: en strings: - en: &en - references: - samm2: - label: OWASP SAMM VERSION 2 - description: |- - Software Assurance Maturity Model - The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate - and implement a strategy for software security that is tailored - to the specific risks facing the organization. - https://owaspsamm.org/blog/2020/01/31/samm2-release/ - iso27001-2017: - label: ISO 27001:2017 - description: |- - ISO 27001:2017 - iso27001-2022: - label: ISO 27001:2022 - description: |- - ISO 27001:2022 + en: + allTeamsGroupName: 'All teams' + maturityLevels: + [ + 'Level 1: Basic understanding of security practices', + 'Level 2: Adoption of basic security practices', + 'Level 3: High adoption of security practices', + 'Level 4: Very high adoption of security practices', + 'Level 5: Advanced deployment of security practices at scale', + ] labels: ['Very Low', 'Low', 'Medium', 'High', 'Very High'] - KnowledgeLabels: + knowledgeLabels: [ 'Very Low (one discipline)', 'Low (one discipline)', @@ -30,18 +47,3 @@ strings: 'High (two disciplines)', 'Very High (three or more disciplines)', ] - hardness: ['Very soft', 'Soft', 'Medium', 'High', 'Very high'] - maturity_levels: - [ - 'Level 1: Basic understanding of security practices', - 'Level 2: Adoption of basic security practices', - 'Level 3: High adoption of security practices', - 'Level 4: Very high adoption of security practices', - 'Level 5: Advanced deployment of security practices at scale', - ] -# Default team -teams: ['Default', 'B', 'C'] -teamGroups: - GroupA: ['Default', 'B'] - GroupB: ['B', 'C'] - GroupC: ['Default', 'C'] diff --git a/src/assets/YAML/team-progress-2.yaml b/src/assets/YAML/team-progress-2.yaml new file mode 100644 index 000000000..21b9fd833 --- /dev/null +++ b/src/assets/YAML/team-progress-2.yaml @@ -0,0 +1,16 @@ +progress: + a340f46b-6360-4cb8-847b-a0d3483d09d3: # Building and testing of artifacts in virtual environments + A: + Planned: 2025-01-02 + Started: 2025-01-01 + Implemented: 2025-03-02 + B: + Planned: 2025-02-02 + Started: 2025-04-02 + new-team: + Planned: 2025-02-02 + new-uuid: + A: + Planned: 2025-01-02 + Started: 2025-01-01 + Implemented: 2025-03-02 diff --git a/src/assets/YAML/team-progress-default.yaml b/src/assets/YAML/team-progress-default.yaml new file mode 100644 index 000000000..096015d54 --- /dev/null +++ b/src/assets/YAML/team-progress-default.yaml @@ -0,0 +1,2 @@ + # Export team progress from the browser, and replace this file +progress: diff --git a/src/assets/YAML/team-progress.yaml b/src/assets/YAML/team-progress.yaml new file mode 100644 index 000000000..dc179b3d2 --- /dev/null +++ b/src/assets/YAML/team-progress.yaml @@ -0,0 +1,120 @@ +progress: + a340f46b-6360-4cb8-847b-a0d3483d09d3: # Building and testing of artifacts in virtual environments + 'Team A': + 'Planned': 2025-01-01 + 'Started': 2025-02-01 + 'Team B': + 'Planned': 2025-03-01 + 'Started': 2025-04-01 + 'Team D': + 'Planned': 2025-04-01 + 'Implemented': 2025-05-01 + 'Not referenced': + 'Planned': 2000-01-01 + 'Started': 2000-07-01 + 'Implemented': 2000-12-31 + f6f7737f-25a9-4317-8de2-09bf59f29b5b: # Defined build process + 'Team B': + 'Planned': 2025-01-01 + 'Started': 2025-02-01 + 'Team C': + 'Planned': 2025-03-01 + 'Started': 2025-04-01 + 'Implemented': 2025-05-01 + 'Team D': + 'Planned': 2025-04-01 + 'Team A': + 'Planned': 2025-07-13 + 3d1f4c3b-f713-46d9-933a-54a014a26c03: # Simple system metrics + 'Team D': + 'Implemented': 2025-05-22 + 'Started': 2025-05-12 + 'Planned': 2025-02-23 + 'Team C': + 'Implemented': 2025-08-22 + 'Started': 2025-06-12 + 'Planned': 2025-05-21 + 'Team B': + 'Implemented': 2025-05-31 + 'Started': 2025-05-14 + 'Planned': 2025-05-01 + 'Team A': + 'Implemented': 2025-01-08 + 'Started': 2025-01-08 + 'Planned': 2025-01-08 + f08a3219-6941-43ec-8762-4aff739f4664: # Simple budget metrics + 'Team D': + 'Implemented': 2025-07-24 + 'Started': 2025-07-20 + 'Planned': 2025-07-12 + 'Team C': + 'Implemented': 2025-07-25 + 'Started': 2025-06-12 + 'Planned': 2025-06-12 + 'Team B': + 'Implemented': 2025-06-25 + 'Started': 2025-05-22 + 'Planned': 2025-05-12 + 'Team A': + 'Implemented': 2025-05-12 + 'Started': 2025-04-22 + 'Planned': 2025-04-01 + e9a6d403-a467-445e-b98a-74f0c29da0b1: # Simple application metrics + 'Team D': + 'Implemented': 2025-07-12 + 'Started': 2025-07-02 + 'Planned': 2025-06-22 + 'Team C': + 'Implemented': 2025-07-21 + 'Started': 2025-07-19 + 'Planned': 2025-06-22 + 'Team B': + 'Implemented': 2025-08-22 + 'Started': 2025-07-29 + 'Planned': 2025-06-22 + 'Team A': + 'Implemented': 2025-04-01 + 'Started': 2025-03-13 + 'Planned': 2025-03-01 + 4eced38a-7904-4c45-adb0-50b663065540: # Centralized system logging + 'Team B': + 'Planned': 2025-05-22 + 'Team C': + 'Started': 2025-05-22 + 'Planned': 2025-05-22 + 'Team D': + 'Implemented': 2025-05-24 + 'Started': 2025-05-22 + 'Planned': 2025-05-22 + 74938a3f-1269-49b9-9d0f-c43a79a1985a: # Defined deployment process + 'Team A': + 'Started': 2025-01-01 + 'Planned': 2025-01-01 + 'Team B': + 'Planned': 2025-08-22 + 'Team C': + 'Started': 2025-08-22 + 'Planned': 2025-07-19 + 'Team D': + 'Planned': 2025-01-22 + 2a44b708-734f-4463-b0cb-86dc46344b2f: # Inventory of production components + 'Team A': + 'Planned': 2025-03-22 + 'Team B': + 'Planned': 2025-03-22 + 'Team C': + 'Started': 2025-05-17 + 'Planned': 2025-03-22 + 'Team D': + 'Started': 2025-06-12 + 'Planned': 2025-03-22 + 9f107927-61e9-4574-85ad-3f2b4bca8665: # Signing of code + 'Team A': + 'Implemented': 2025-04-22 + 'Started': 2025-03-12 + 'Planned': 2025-03-02 + 'Team B': + 'Started': 2025-06-02 + 'Planned': 2025-04-04 + 'Team C': + 'Planned': 2025-09-22 diff --git a/src/assets/YAML/teams.yaml b/src/assets/YAML/teams.yaml index cbdecfac0..a5de4cdbb 100644 --- a/src/assets/YAML/teams.yaml +++ b/src/assets/YAML/teams.yaml @@ -2,8 +2,10 @@ # # Teams # -teams: ['A', 'B', 'C'] +teams: ['B', 'C', 'My page', 'My app', 'Invoice', 'Admin app'] teamGroups: - AB: ['A', 'B'] - BC: ['B', 'C'] - AC: ['A', 'C'] + GroupC: ['B', 'C'] + Customer: ['My page', 'My app'] + Internal: ['Invoice', 'Admin app'] + Mobile: ['My app', 'Admin app'] + diff --git a/src/assets/seek.html b/src/assets/seek.html new file mode 100644 index 000000000..563bd5168 --- /dev/null +++ b/src/assets/seek.html @@ -0,0 +1,140 @@ + + + + + SEEK + + + + + + + + + + + + + + + get ready... + + + +
+ + + + diff --git a/src/custom-theme.scss b/src/custom-theme.scss index d7d437a97..72e9fb569 100644 --- a/src/custom-theme.scss +++ b/src/custom-theme.scss @@ -1,5 +1,12 @@ @use '@angular/material' as mat; +.mat-drawer, +.mat-drawer-container { + transition: background 300ms + cubic-bezier(0.25, 0.8, 0.25, 1), box-shadow 280ms + cubic-bezier(0.4, 0, 0.2, 1); +} + // ---------------------------------------------- // Theme Colors and Typography // ---------------------------------------------- @@ -31,6 +38,8 @@ $DSOMM-primary: mat.define-palette(mat.$green-palette, 400); $DSOMM-accent: mat.define-palette(mat.$pink-palette, A200, A100, A400); $DSOMM-warn: mat.define-palette(mat.$red-palette); +$DSOMM-dark-primary: mat.define-palette(mat.$green-palette, 600); + // ---------------------------------------------- // Angular Material Themes // ---------------------------------------------- @@ -44,7 +53,7 @@ $DSOMM-light-theme: mat.define-light-theme(( $DSOMM-dark-theme: mat.define-dark-theme(( color: ( - primary: $DSOMM-primary, + primary: $DSOMM-dark-primary, accent: $DSOMM-accent, warn: $DSOMM-warn ) @@ -77,13 +86,19 @@ body { } .light-theme { + --text-primary: #000000; + --text-secondary: #bbbbbb; + --background-primary: #f5f5f5; + --background-secondary: #fefefe; + + --primary-color: #{mat.get-color-from-palette($DSOMM-primary)}; + --heatmap-filled: #4caf50; --heatmap-disabled: #dddddd; - --heatmap-cursor: green; --heatmap-background: white; --heatmap-stroke: black; - --heatmap-cursor-selected:var(--heatmap-cursor); - --heatmap-cursor-hover: transparent; + --heatmap-cursor-hover: #1c8b1c; + --heatmap-cursor-selected:#3d3d3d; @include mat.all-component-themes($DSOMM-light-theme); } @@ -94,14 +109,21 @@ body { body.dark-theme { @include apply-theme($custom-dark-theme); @include mat.all-component-themes($DSOMM-dark-theme); + + --text-primary: #fefefe; + --text-secondary: #ababab; + --background-primary: #303030; + --background-secondary: #424242; + + --primary-color: #{mat.get-color-from-palette($DSOMM-dark-primary)}; --heatmap-filled: #007700; --heatmap-disabled: #666666; - --heatmap-cursor: green; --heatmap-background: #bbbbbb; --heatmap-stroke: #000000; - --heatmap-cursor-selected:var(--heatmap-cursor); - --heatmap-cursor-hover: transparent; + --heatmap-cursor-hover: #145e14; + --heatmap-cursor-selected: #232323; + .title-button, h1, h2, h3, h4, h5, h6 { @@ -160,7 +182,7 @@ body.dark-theme { } .mat-chip.mat-standard-chip.mat-chip-selected.mat-primary { - background-color: #74b277; + background-color: var(--primary-color); } } @@ -178,11 +200,11 @@ svg .cursors path { } svg .cursors #hover { - stroke: var(--heatmap-cursor); - stroke-width: 7px; + stroke: var(--heatmap-cursor-hover, black); + stroke-width: 6px; } svg .cursors #selected { - stroke: var(--heatmap-cursor-selected, #000000); // optional fallback - stroke-width: 7px; + stroke: var(--heatmap-cursor-selected, black); + stroke-width: 4px; } diff --git a/src/environments/environment.prod.ts b/src/environments/environment.prod.ts index c9669790b..2eb624770 100644 --- a/src/environments/environment.prod.ts +++ b/src/environments/environment.prod.ts @@ -1,3 +1,4 @@ export const environment = { production: true, + experimental: true, }; diff --git a/src/environments/environment.ts b/src/environments/environment.ts index 66998ae9a..ec7adf87d 100644 --- a/src/environments/environment.ts +++ b/src/environments/environment.ts @@ -4,13 +4,5 @@ export const environment = { production: false, + experimental: true, }; - -/* - * For easier debugging in development mode, you can import the following file - * to ignore zone related error stack frames such as `zone.run`, `zoneDelegate.invokeTask`. - * - * This import should be commented out in production mode because it will have a negative impact - * on performance if an error is thrown. - */ -// import 'zone.js/plugins/zone-error'; // Included with Angular CLI. diff --git a/src/index.html b/src/index.html index 8d114a99a..0e29ae990 100644 --- a/src/index.html +++ b/src/index.html @@ -11,7 +11,7 @@ href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap" rel="stylesheet" /> Date: Sun, 21 Sep 2025 17:24:19 +0200 Subject: [PATCH 02/23] Linting --- src/app/pages/teams/teams.component.html | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/app/pages/teams/teams.component.html b/src/app/pages/teams/teams.component.html index 5e6d5f219..dee659632 100644 --- a/src/app/pages/teams/teams.component.html +++ b/src/app/pages/teams/teams.component.html @@ -21,17 +21,14 @@

{{ infoTitle }}

+ [suffix]="'activities'"> + [suffix]="'activities'"> + [value]="dateStr(info[infoTitle]?.lastUpdated)"> From d138f652ffa8bf9cb64784c3bc148c9cd9bfa2f6 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 21 Sep 2025 18:59:56 +0200 Subject: [PATCH 03/23] Removed obsolete files --- src/assets/YAML/custom/custom-activities.yaml | 44 +- .../YAML/custom/custom-experimental.yaml | 17 - .../YAML/custom/test-ignore-activities.yaml | 22 - src/assets/YAML/default/activities-short.yaml | 87 - src/assets/YAML/generated/generated.yaml | 8597 ----------------- src/assets/YAML/meta.yaml | 3 +- src/assets/YAML/team-progress-2.yaml | 16 - src/assets/YAML/teams.yaml | 11 - src/assets/seek.html | 140 - 9 files changed, 24 insertions(+), 8913 deletions(-) delete mode 100644 src/assets/YAML/custom/custom-experimental.yaml delete mode 100644 src/assets/YAML/custom/test-ignore-activities.yaml delete mode 100644 src/assets/YAML/default/activities-short.yaml delete mode 100644 src/assets/YAML/generated/generated.yaml delete mode 100644 src/assets/YAML/team-progress-2.yaml delete mode 100644 src/assets/YAML/teams.yaml delete mode 100644 src/assets/seek.html diff --git a/src/assets/YAML/custom/custom-activities.yaml b/src/assets/YAML/custom/custom-activities.yaml index 38c003b3a..bfc56ab8b 100644 --- a/src/assets/YAML/custom/custom-activities.yaml +++ b/src/assets/YAML/custom/custom-activities.yaml @@ -1,35 +1,37 @@ - +# Sample file to show how to customize your own activities, or override existing ones. +# Build and Deployment: Build: New CUSTOM activity: - uuid: f6f7737f-1111-1111-1111-09bf59f29b5b - description: - This is a NEW activity + uuid: 11111111-1111-1111-1111-111111111111 level: 1 - Defined build process: + description: + This activity is an example of a custom activity that is specific to your organization. + measure: + Write your own measure text here, using markdown if needed. + risk: + See default/activities.yaml for examples of how to write risk statements. + + Defined OUR build process: uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b description: - Custom description for: same name and same uuid + This is an example with a custom _title_ and _description_ overriding the standard text. + # Pinning of artifacts: - # ignore: true # uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6111111 # description: - # This activity has a two different UUIDs + # This activity has a two different UUIDs for the same name, and will cause an error when loading in the browser. + SBOM of components: + ignore: true + description: + This will remove this activity from the list of activities in the browser. -New test category: - Custom tests: - NEW SBOM in NEW dimension: + +New CUSTOM dimension: + CUSTOM sub-dimension: + Re-classify SBOM activity to CUSTOM dimension: uuid: 2858ac12-0179-40d9-9acf-1b839c030473 level: 2 - Custom tests2: - High coverage of security related module and integration tests: - uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a - level: 1 - description: - This is the description for *High coverage* - Security integration tests for important components: - uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - level: 2 description: - This is the description for *Security integration tests* + This activity has been moved to a custom dimension. diff --git a/src/assets/YAML/custom/custom-experimental.yaml b/src/assets/YAML/custom/custom-experimental.yaml deleted file mode 100644 index ba1d4295b..000000000 --- a/src/assets/YAML/custom/custom-experimental.yaml +++ /dev/null @@ -1,17 +0,0 @@ - -Build and Deployment: - Build: - Experimental Build Activity: - uuid: 2858ac12-0179-40d9-9acf-1b839c030474 - level: 1 - description: | - Test activity - Testing Custom Activity Yaml, that ignores the whole pre-existing Build Dimension. - But add a new (this) separate custom activity. - Deployment: - Defined deployment process: - description: | - Custom description, defined in `custom-experimental.yaml`. - But other properties remain as-is. -Test and Verification: - Test-Intensity: - ignore: true diff --git a/src/assets/YAML/custom/test-ignore-activities.yaml b/src/assets/YAML/custom/test-ignore-activities.yaml deleted file mode 100644 index 7bdf02fd8..000000000 --- a/src/assets/YAML/custom/test-ignore-activities.yaml +++ /dev/null @@ -1,22 +0,0 @@ -Ignore this DEFAULT Category: - ignore: true -Build and Deployment: - Ignore this DEFAULT dimension: - ignore: true - Ignore this dimension: - ignore: true - Build: - Defined build process: - comments: A nice litte comment at the end - Signing of code: - level: 5 - uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 - ignore: true - Deployment: - This activity should have been ignored, too: - ignore: true - Ignore this Activity: - ignore: true - Ignore: - uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a - ignore: true diff --git a/src/assets/YAML/default/activities-short.yaml b/src/assets/YAML/default/activities-short.yaml deleted file mode 100644 index 2004483d0..000000000 --- a/src/assets/YAML/default/activities-short.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# version: 1.52.1 -#meta: -# version: 1.52.1 -Ignore this Category by default: - ignore: true - -Ignore this DEFAULT Category: - Should be ignored: - This activity should have been ignored: - uuid: 99999999-1111-9999-9999-999999999999 - level: 5 - description: - This is specified in the default activity file, but is removed by the ignore yaml - -Build and Deployment: - Ignore this dimension by default: - ignore: true - Ignore this DEFAULT dimension: - This activity should also have been ignored: - uuid: 99999999-2222-9999-9999-999999999999 - level: 5 - description: - This is specified in the default activity file, but is removed by the ignore yaml - Build: - This activity should have been ignored, too: - uuid: 99999999-333-9999-9999-999999999999 - level: 5 - description: - This is specified in the default activity file, but is removed by the ignore yaml - Building and testing of artifacts in virtual environments: - uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 - description: >- - A DSOMM description. - tags: - - ci-cd - - build - level: 3 - Defined build process: - uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b - description: > - DSOMM description without UUID - level: 1 - tags: - - ci-cd - - build - Pinning of artifacts: - uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 - description: - DSOMM description, where uuid is different - level: 2 - tags: - - ci-cd - SBOM of components: - uuid: 2858ac12-0179-40d9-9acf-1b839c030473 - level: 3 - Signing of code: - level: 5 - uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 - # ignore: true - Deployment: - Ignore this Activity: - ignore: true - Defined deployment process: - uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a - level: 1 - description: - tags: - - ci-cd - Handover of confidential parameters: - uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a - level: 2 -Test and Verification: - Application tests: - High coverage of security related module and integration tests: - uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a - level: 5 - description: - This is the description for *High coverage* - tags: - - test - Security integration tests for important components: - uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - level: 3 - description: - This is the description for *Security integration tests* - tags: - - test diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml deleted file mode 100644 index 5f0ac8637..000000000 --- a/src/assets/YAML/generated/generated.yaml +++ /dev/null @@ -1,8597 +0,0 @@ ---- -#meta: - #source: https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/refs/heads/main/src/assets/YAML/generated/generated.yaml - #version: 1.15.2 - -Build and Deployment: - Build: - Building and testing of artifacts in virtual environments: - uuid: a340f46b-6360-4cb8-847b-a0d3483d09d3 - description: |- - While building and testing artifacts, third party systems, application frameworks - and 3rd party libraries are used. These might be malicious as a result of - vulnerable libraries or because they are altered during the delivery phase. - risk: |- - While building and testing artifacts, third party systems, application frameworks - and 3rd party libraries are used. These might be malicious as a result of - vulnerable libraries or because they are altered during the delivery phase. - measure: Each step during within the build and testing phase is performed in - a separate virtual environments, which is destroyed afterward. - meta: - implementationGuide: Depending on your environment, usage of virtual machines - or container technology is a good way. After the build, the filesystem should - not be used again in other builds. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 2 - level: 2 - implementation: - - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 - name: CI/CD tools - tags: - - ci-cd - url: https://martinfowler.com/articles/continuousIntegration.html - description: CI/CD tools such as jenkins, gitlab-ci or github-actions - - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 - name: Container technologies and orchestration like Docker, Kubernetes - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ - references: - samm2: - - I-SB-2-A - iso27001-2017: - - 14.2.6 - iso27001-2022: - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/a340f46b-6360-4cb8-847b-a0d3483d09d3 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Defined build process: - uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b - description: "A *build process* include more than just compiling your source - code. \nIt also includes steps such as managing (third party) dependencies, - \nenvironment configuration, running the unit tests, etc. \n\nA *defined build - process* has automated these steps to ensure consistency.\n\nThis can be done - with a Jenkinsfile, Maven, or similar tools.\n" - risk: Performing builds without a defined process is error prone; for example, - as a result of incorrect security related configuration. - measure: A well defined build process lowers the possibility of errors during - the build process. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 2 - usefulness: 4 - level: 1 - assessment: | - - Show your build pipeline and an exemplary job (build + test). - - Show that every team member has access. - - Show that failed jobs are fixed. - - Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) - implementation: - - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 - name: CI/CD tools - tags: - - ci-cd - url: https://martinfowler.com/articles/continuousIntegration.html - description: CI/CD tools such as jenkins, gitlab-ci or github-actions - - uuid: ed6b6340-6c7f-4e13-8937-f560d3f5db11 - name: Container technologies and orchestration like Docker, Kubernetes - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:ContainerOrchestrationSoftware/ - references: - samm2: - - I-SB-1-A - iso27001-2017: - - 12.1.1 - - 14.2.2 - iso27001-2022: - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f6f7737f-25a9-4317-8de2-09bf59f29b5b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Pinning of artifacts: - uuid: f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 - risk: Unauthorized manipulation of artifacts might be difficult to spot. For - example, this may result in using images with malicious code. Also, intended - major changes, which are automatically used in an image used might break the - functionality. - measure: Pinning of artifacts ensure that changes are performed only when intended. - comment: The usage of pinning requires a good processes for patching. Therefore, - choose this activity wisely. - meta: - implementationGuide: Pinning artifacts in Dockerfile refers to the practice - of using specific, immutable versions of base images and dependencies in - your build process. Instead of using the latest tag for your base image, - select a specific version or digest. For example, replace FROM node:latest, - to FROM node@sha256:abcdef12. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - implementation: - - uuid: 9368abfb-cf37-477a-9091-a804d2de9148 - name: Signing of containers - tags: - - signing - - container - - build - url: https://www.aquasec.com/cloud-native-academy/supply-chain-security/container-image-signing/ - description: Container technology automatically creates a hash for images, - which can be used. - - uuid: 638b3691-c9a5-45fa-9ba8-e40aeea32766 - name: Immutable images - tags: - - deployment - - container - - build - url: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/#immutablility-after-first-modification - description: Immutable images are an other way, e.g. by using a registry, - which doesn't allow overriding of images. - dependsOn: - - Defined build process - references: - samm2: - - I-SB-1-A - iso27001-2017: - - 14.2.6 - iso27001-2022: - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/f3c4971e-9f4d-4e59-8ed0-f0bdb6262477 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - SBOM of components: - uuid: 2858ac12-0179-40d9-9acf-1b839c030473 - description: |- - SBOM (Software Bill of Materials) is a document that lists all components, libraries, - and dependencies used in a software application or container image. Creating an SBOM - during the build process can help ensure transparency, security, and license compliance - for your application. - risk: In case a vulnerability of severity high or critical exists, it needs - to be known where an artifacts with that vulnerability is deployed with which - dependencies. - measure: Creation of an SBOM of components (e.g. application and container image - content) during build. - dependsOn: - - Defined build process - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 3 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: [] - iso27001-2017: - - 8.1 - - 8.2 - iso27001-2022: - - 5.9 - - 5.12 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/2858ac12-0179-40d9-9acf-1b839c030473 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Signing of artifacts: - uuid: 5786959d-0c6f-46a6-8e1c-a32ff1a50222 - risk: Execution or usage of malicious code or data e.g. via executables, libraries - or container images. - measure: Digitally signing artifacts for all steps during the build and especially - docker images, helps to ensure their integrity and authenticity. - description: "To perform a push to a GitHub repository, you must be authenticated. - It's important to note that GitHub does not verify if the authenticated user's - email address matches the one in the commit.\nTo clearly identify the author - of a commit for reviewers, commit signing is recommended.\n\nGitHub actions - such as [semantic-release-action](https://github.com/cycjimmy/semantic-release-action) - do not automatically sign commits and may encounter issues as a result. \n\nTo - address this, you can refer to a working configuration example in the [workflow - folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml) - of DSOMM, which demonstrates how to use semantic release action in conjunction - with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action).\nFor - added security, consider using [Fine-grained personal access tokens](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) - provided by your organization for a specific repository. Store the Personal - Access Token (PAT) as a secret in your project." - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 5 - implementation: - - uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6 - name: Docker Content Trust - tags: [] - url: https://docs.docker.com/engine/security/trust/ - - uuid: 6e9d8c14-ba3b-4698-afc3-365b4ab6fb1f - name: in-toto - tags: [] - url: https://in-toto.github.io/ - dependsOn: - - Defined build process - - Pinning of artifacts - references: - samm2: - - I-SB-1-A - iso27001-2017: - - 14.2.6 - iso27001-2022: - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/5786959d-0c6f-46a6-8e1c-a32ff1a50222 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Signing of code: - uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665 - risk: Execution or usage of malicious code or data e.g. via executables, libraries - or container images. - measure: Digitally signing commits helps to prevent unauthorized manipulation - of source code. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: d6d755d3-b9f1-4942-a084-e62b266541df - name: Signing of commits - tags: - - signing - url: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work - description: Signing of commits in git - - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 - name: Enforcement of commit signing - tags: - - signing - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule - description: Usage of branch protection rules - dependsOn: - - Defined build process - references: - samm2: - - I-SB-2-A - iso27001-2017: - - 14.2.6 - iso27001-2022: - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Build/9f107927-61e9-4574-85ad-3f2b4bca8665 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Deployment: - Blue/Green Deployment: - uuid: 0cb2626b-fb0d-4a0f-9688-57f787310d97 - risk: A new artifact's version can have unknown defects. - measure: |- - Using a blue/green deployment strategy increases application availability - and reduces deployment risk by simplifying the rollback process if a deployment fails. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 2 - level: 5 - implementation: - - uuid: 4fb3d95c-07c0-4cbb-b396-5054aba751c2 - name: Blue/Green Deployments - tags: [] - url: https://martinfowler.com/bliki/BlueGreenDeployment.html - dependsOn: - - Smoke Test - references: - samm2: - - TODO - iso27001-2017: - - 17.2.1 - - 12.1.1 - - 12.1.2 - - 12.1.4 - - 12.5.1 - - 14.2.9 - iso27001-2022: - - 8.14 - - 5.37 - - 8.31 - - 8.32 - - 8.19 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0cb2626b-fb0d-4a0f-9688-57f787310d97 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Defined decommissioning process: - uuid: da4ff665-dcb9-4e93-9d20-48cdedc50fc2 - description: |- - The decommissioning process in the context of Docker and Kubernetes involves - retiring Docker containers, images, and Kubernetes resources that are no longer - needed or have been replaced. This process must be carefully executed to avoid - impacting other services and applications. - risk: Unused applications are not maintained and may contain vulnerabilities. - Once exploited they can be used to attack other applications or to perform - lateral movements within the organization. - measure: A clear decommissioning process ensures the removal of unused applications - from the `Inventory of production components` and if implemented from `Inventory - of production artifacts`. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 2 - level: 2 - references: - samm2: - - O-OM-2-B - iso27001-2017: - - 11.2.7 - iso27001-2022: - - 7.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/da4ff665-dcb9-4e93-9d20-48cdedc50fc2 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Defined deployment process: - uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a - risk: Deployment of insecure or malfunctioning artifacts. - measure: Defining a deployment process ensures that there are established criteria - in terms of functionalities, security, compliance, and performance, and that - the artifacts meet them. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 1 - dependsOn: - - Defined build process - implementation: - - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 - name: CI/CD tools - tags: - - ci-cd - url: https://martinfowler.com/articles/continuousIntegration.html - description: CI/CD tools such as jenkins, gitlab-ci or github-actions - - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba - name: Docker - url: https://github.com/moby/moby - tags: [] - references: - samm2: - - I-SD-1-A - iso27001-2017: - - 12.1.1 - - 14.2.2 - iso27001-2022: - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Environment depending configuration parameters (secrets): - uuid: df428c9d-efa0-4226-9f47-a15bb53f822b - risk: Unauthorized access to secrets stored in source code or in artifacts (e.g. - container images) through process listing (e.g. ps -ef). - measure: Set configuration parameters via environment variables stored using - specific platform functionalities or secrets management systems (e.g. Kubernetes - secrets or Hashicorp Vault). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: - - uuid: e3a2ffc8-313f-437e-9663-b24591568209 - name: Hashicorp Vault - tags: - - authentication - - authorization - - secrets - - infrastructure - url: https://github.com/hashicorp/vault - description: | - A tool for secrets management, encryption as a service, and privileged access management. - references: - samm2: - - I-SD-1-B - iso27001-2017: - - 9.4.5 - - 14.2.6 - iso27001-2022: - - 8.4 - - 8.31 - d3f: - - ApplicationConfigurationHardening - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/df428c9d-efa0-4226-9f47-a15bb53f822b - tags: - - secret - teamsImplemented: - Default: false - B: false - C: false - Evaluation of the trust of used components: - uuid: 0de465a6-55a7-4343-af79-948bb5ff10ba - risk: Application and system components like Open Source libraries or images - can have implementation flaws or deployment flaws. Developers or operations - might start random images in the production cluster which have malicious code - or known vulnerabilities. - measure: Each components source is evaluated to be trusted. For example the - source, number of developers included, email configuration used by maintainers - to prevent maintainer account theft, typo-squatting, ... Create image assessment - criteria, perform an evaluation of images and create a whitelist of artifacts/container - images/virtual machine images. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: 2a76300f-6b1f-4a51-b925-134c36b723af - name: Kubernetes Admission Controller can whitelist registries and/or whitelist - a signing key. - tags: [] - url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d - - uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a - name: packj - tags: - - OpenSource - - Supply Chain - - vulnerability - url: https://github.com/ossillate-inc/packj - description: | - Packj is a tool to detect software supply chain attacks. It can detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages from popular open-source package registries, such as NPM, RubyGems, and PyPI. - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/0de465a6-55a7-4343-af79-948bb5ff10ba - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Handover of confidential parameters: - uuid: 94a96f79-8bd6-4904-97c0-994ff88f176a - risk: Parameters are often used to set credentials, for example by starting - containers or applications; these parameters can often be seen by any one - listing running processes on the target system. - measure: Encryption ensures confidentiality of credentials e.g. from unauthorized - access on the file system. Also, the usage of a credential management system - can help protect credentials. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 3 - implementation: "" - dependsOn: - - Environment depending configuration parameters (secrets) - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 14.1.3 - - 13.1.3 - - 9.4.3 - - 9.4.1 - - 10.1.2 - iso27001-2022: - - 8.33 - - 8.22 - - 5.17 - - 8.3 - - 8.24 - d3f: - - ApplicationConfigurationHardening - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/94a96f79-8bd6-4904-97c0-994ff88f176a - tags: - - secret - teamsImplemented: - Default: false - B: false - C: false - Inventory of production artifacts: - uuid: 83057028-0b77-4d2e-8135-40969768ae88 - risk: In case a vulnerability of severity high or critical exists, it needs - to be known where an artifacts (e.g. container image) with that vulnerability - is deployed. - measure: A documented inventory of artifacts in production like container images - exists (gathered manually or automatically). - dependsOn: - - Defined deployment process - - Inventory of production components - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 3 - usefulness: 3 - level: 2 - implementation: - - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca - name: Backstage - tags: - - documentation - - inventory - url: https://github.com/backstage/backstage - description: | - Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c - name: Image Metadata Collector - tags: - - documentation - - inventory - - kubernetes - url: https://github.com/SDA-SE/image-metadata-collector/ - description: | - Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. - references: - samm2: - - I-SD-2-A - iso27001-2017: - - 8.1 - - 8.2 - iso27001-2022: - - 5.9 - - 5.12 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/83057028-0b77-4d2e-8135-40969768ae88 - tags: - - inventory - teamsImplemented: - Default: false - B: false - C: false - Inventory of production components: - uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f - risk: An organization is unaware of components like applications in production. - Not knowing existing applications in production leads to not assessing it. - measure: |- - A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production. - In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. - dependsOn: - - Defined deployment process - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 4 - level: 1 - implementation: - - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca - name: Backstage - tags: - - documentation - - inventory - url: https://github.com/backstage/backstage - description: | - Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c - name: Image Metadata Collector - tags: - - documentation - - inventory - - kubernetes - url: https://github.com/SDA-SE/image-metadata-collector/ - description: | - Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. - references: - samm2: - - I-SD-2-A - iso27001-2017: - - 8.1 - - 8.2 - iso27001-2022: - - 5.9 - - 5.12 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f - tags: - - inventory - teamsImplemented: - Default: false - B: false - C: false - Inventory of production dependencies: - uuid: 13e9757e-58e2-4277-bc0f-eadc674891e6 - risk: Delayed identification of components and their vulnerabilities in production. - In case a vulnerability is known by the organization, it needs to be known - where an artifacts with that vulnerability is deployed with which dependencies. - measure: A documented inventory of dependencies used in artifacts like container - images and containers exists. - dependsOn: - - Inventory of production artifacts - - SBOM of components - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 3 - usefulness: 3 - level: 3 - implementation: - - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca - name: Backstage - tags: - - documentation - - inventory - url: https://github.com/backstage/backstage - description: | - Backstage is an open-source platform designed to create developer portals. At its core is a centralized software catalog that brings organization to your microservices and infrastructure. - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 879bd03f-8de1-43d6-b492-d974181bfa6c - name: Image Metadata Collector - tags: - - documentation - - inventory - - kubernetes - url: https://github.com/SDA-SE/image-metadata-collector/ - description: | - Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. - references: - samm2: - - I-SD-2-A - iso27001-2017: - - 8.1 - - 8.2 - iso27001-2022: - - 5.9 - - 5.12 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/13e9757e-58e2-4277-bc0f-eadc674891e6 - comments: "" - tags: - - inventory - - sbom - teamsImplemented: - Default: false - B: false - C: false - Rolling update on deployment: - uuid: 85d52588-f542-4225-a338-20dc22a5508d - risk: While a deployment is performed, the application can not be reached. - measure: A deployment without downtime is performed*. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 2 - level: 3 - implementation: - - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba - name: Docker - url: https://github.com/moby/moby - tags: [] - - uuid: a71ce8f8-fd4a-4240-8b46-64a6cdb5dfdb - name: Webserver - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:WebServer/ - - uuid: ee2eb94b-7204-40d8-97da-43c7b1296e2e - name: rolling update - tags: [] - dependsOn: - - Defined deployment process - references: - samm2: - - I-SD-1-A - iso27001-2017: - - 12.5.1 - - 14.2.2 - - 17.2.1 - iso27001-2022: - - 8.19 - - 8.32 - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/85d52588-f542-4225-a338-20dc22a5508d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Same artifact for environments: - uuid: a854b48d-83bd-4f8d-8621-a0bdd470837f - risk: Building of an artifact for different environments means that an untested - artifact might reach the production environment. - measure: Building an artifact once and deploying it to different environments - means that only tested artifacts are allowed to reach the production environment - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 4 - implementation: - - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba - name: Docker - url: https://github.com/moby/moby - tags: [] - dependsOn: - - Defined build process - references: - samm2: - - I-SD-2-A - iso27001-2017: - - 14.3.1 - - 14.2.8 - - 12.1.4 - iso27001-2022: - - 8.33 - - 8.29 - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a854b48d-83bd-4f8d-8621-a0bdd470837f - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of feature toggles: - uuid: a511799b-045e-4b96-9843-7d63d8c1e2ad - risk: Using environment variables to enable or disable features can lead to - a situation where a feature is accidentally enabled in the production environment. - measure: Usage of environment independent configuration parameter, called static - feature toggles, mitigates the risk of accidentally enabling insecure features - in production. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 2 - level: 4 - implementation: - - uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba - name: Docker - url: https://github.com/moby/moby - tags: [] - - uuid: 83be6c60-6633-4c32-98de-7ae065c143c9 - name: Feature Toggles - tags: - - development - - architecture - url: https://martinfowler.com/articles/feature-toggles.html - description: | - Feature Toggles are a powerful technique, allowing teams to modify system behavior without changing code. (Pete Hodgson) - dependsOn: - - Same artifact for environments - references: - samm2: [] - iso27001-2017: - - 14.3.1 - - 14.2.8 - - 14.2.9 - - 12.1.4 - iso27001-2022: - - 8.33 - - 8.29 - - 8.31 - d3f: - - ApplicationConfigurationHardening - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/a511799b-045e-4b96-9843-7d63d8c1e2ad - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Patch Management: - A patch policy is defined: - uuid: 99415139-6b50-441b-89e1-0aa59accd43d - risk: Vulnerabilities in running artifacts stay for long and might get exploited. - measure: A patch policy for all artifacts (e.g. in images) is defined. How often - is an image rebuilt? - difficultyOfImplementation: - knowledge: 3 - time: 1 - resources: 2 - usefulness: 4 - level: 1 - implementation: [] - references: - samm2: - - O-EM-1-B - iso27001-2017: - - 12.6.1 - - 12.5.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.19 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/99415139-6b50-441b-89e1-0aa59accd43d - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Automated PRs for patches: - uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 - risk: Components with known (or unknown) vulnerabilities might stay for long - and get exploited, even when a patch is available. - measure: |- - Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes - * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 1 - implementation: - - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 - name: dependabot - tags: - - auto-pr - - patching - url: https://dependabot.com/ - - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971 - name: Jenkins - tags: [] - url: https://www.jenkins.io/ - - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 - name: terraform - tags: - - IaC - url: https://www.terraform.io/ - description: | - Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. - - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 - name: renovate - tags: - - auto-pr - - patching - url: https://github.com/renovatebot/renovate - references: - samm2: - - O-EM-1-B - iso27001-2017: - - 12.6.1 - - 14.2.5 - iso27001-2022: - - "8.8" - - "8.27" - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/8ae0b92c-10e0-4602-ba22-7524d6aed488 - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Automated deployment of automated PRs: - uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d - description: Automated merges of automated created PRs for outdated dependencies. - risk: Even if automated dependencies PRs are merged, they might not be deployed. - This results in vulnerabilities in running artifacts stay for too long and - might get exploited. - measure: | - After merging of an automated dependency PR, automated deployment is needed, - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - dependsOn: - - Automated merge of automated PRs - implementation: - - uuid: 0d63f907-37fe-4375-88a5-a5e252732618 - name: terraform - tags: - - IaC - url: https://www.terraform.io/ - description: | - Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service. - - uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f - name: argoCD - tags: - - deployment - url: https://argo-cd.readthedocs.io/en/stable/ - references: - samm2: - - O-EM-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/08f27c26-2c6a-47fe-9458-5e88f188085d - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Automated merge of automated PRs: - uuid: f2594f8f-1cd6-45f9-af29-eaf3315698eb - description: Automated merges of automated created PRs for outdated dependencies. - risk: Vulnerabilities in running artifacts stay for too long and might get exploited. - measure: | - A good practice is to merge trusted dependencies (e.g. spring boot) after a grace period like one week. - Often, patches, fixes and minor updates are automatically merged. Be aware that automated merging requires a high - automated test coverage. Enforcement of merging of pull requests after a grace period. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 3 - level: 2 - dependsOn: - - Automated PRs for patches - implementation: - - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 - name: dependabot - tags: - - auto-pr - - patching - url: https://dependabot.com/ - - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 - name: renovate - tags: - - auto-pr - - patching - url: https://github.com/renovatebot/renovate - references: - samm2: - - O-EM-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/f2594f8f-1cd6-45f9-af29-eaf3315698eb - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Nightly build of images (base images): - uuid: 34869eaf-f2e1-4926-b0bd-28c43402f057 - description: |- - A base image is a pre-built image that serves as a starting point for building - new images or containers. These base images usually include an operating system, - necessary dependencies, libraries, and other components that are required to run - a specific application or service. Nightly builds of custom base images refer to - an automated process that occurs daily or on a scheduled basis, usually during - nighttime or off-peak hours, to create updated versions of custom base images. - risk: Vulnerabilities in running containers stay for too long and might get - exploited. - measure: Custom base images are getting build at least nightly. In case the - packages in the base image e.g. centos has changed, the build server - triggers the build of depending images. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: - - O-EM-1-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/34869eaf-f2e1-4926-b0bd-28c43402f057 - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Reduction of the attack surface: - uuid: 16e39c8f-5336-4001-88ed-a552d2447531 - description: |- - Distroless images are minimal, stripped-down base images that contain only the - essential components required to run your application. They do not include package - managers, shells, or any other tools that are commonly found in standard Linux - distributions. Using distroless images can help reduce the attack surface and - overall size of your container images. - risk: Components, dependencies, files or file access rights might have vulnerabilities, - but the they are not needed. - measure: Removal of unneeded components, dependencies, files or file access - rights. For container images the usage of distroless images is recommended. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 2 - usefulness: 3 - level: 2 - implementation: - - uuid: ef647044-b675-47d3-9720-3ebc144ef37b - name: Distroless - tags: [] - url: https://github.com/GoogleContainerTools/distroless - - uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a - name: Fedora CoreOS - tags: [] - url: https://getfedora.org/coreos - - uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd - name: Distroless or Alpine - tags: [] - url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22 - references: - samm2: - - I-SB-2 - iso27001-2017: - - hardening is missing in ISO 27001 - - 14.2.1 - iso27001-2022: - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/16e39c8f-5336-4001-88ed-a552d2447531 - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Usage of a maximum lifetime for images: - uuid: 485a3383-7f2e-4dba-bb84-479377070904 - description: |- - The maximum lifetime for a Docker container refers to the duration a container - should be allowed to run before it is considered outdated, stale, or insecure. - There is not a fixed, universally applicable maximum lifetime for a Docker - container, as it varies depending on the specific use case, application - requirements, and security needs. As a best practice, it is essential to define - a reasonable maximum lifetime for containers to ensure that you consistently - deploy the most recent, patched, and secure versions of both your custom base - images and third-party images. - risk: Vulnerabilities in images of running containers stay for too long and - might get exploited. Long running containers have potential memory leaks. - A compromised container might get killed by restarting the container (e.g. - in case the attacker has not reached the persistence layer). - measure: A short maximum lifetime for images is defined, e.g. 30 days. The project - images, based on the nightly builded images, are deployed at leased once within - the defined lifetime. Third Party images are deployed at leased once within - the defined lifetime. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: - - O-EM-1-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/485a3383-7f2e-4dba-bb84-479377070904 - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Usage of a short maximum lifetime for images: - uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e - description: |- - The maximum lifetime for a Docker container refers to the duration a container - should be allowed to run before it is considered outdated, stale, or insecure. - There is not a fixed, universally applicable maximum lifetime for a Docker - container, as it varies depending on the specific use case, application - requirements, and security needs. As a best practice, it is essential to define - a reasonable maximum lifetime for containers to ensure that you consistently - deploy the most recent, patched, and secure versions of both your custom base - images and third-party images. - risk: Vulnerabilities in running containers stay for too long and might get - exploited. - measure: | - A good practice is to perform the build and deployment daily or even just-in-time, when a new component (e.g. package) for the image is available. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 3 - level: 4 - implementation: - - uuid: 1a463242-b480-46f6-a912-b51ec1c1558d - name: "Sample concept: \n(1" - tags: [] - description: "Sample concept: \n(1) each container has a set lifetime and - is killed / replaced with a new container multiple times a day where you - have some form of a graceful replacement to ensure no (short) service outage - will occur to the end users. \n(2) twice a day a rebuild of images is done. - The rebuilds are put into a automated testing pipeline. If the testing has - no blocking issues the new images will be released for deployment during - the next \"restart\" of a container. What has to be done, is to ensure the - new containers are deployed in some canary deployment manner, this will - ensure that if (and only if) something buggy has been introduced which breaks - functionality the canary deployment will make sure the \"older version\" - is being used and not the buggy newer one." - references: - samm2: - - O-EM-2-B - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Patch - Management/6b96e5a0-ce34-4ea4-a88f-469d3b84546e - comments: "" - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false -Culture and Organization: - Design: - Conduction of advanced threat modeling: - uuid: ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 - risk: Inadequate identification of business and technical risks. - measure: Threat modeling is performed by using reviewing user stories and producing - security driven data flow diagrams. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 2 - usefulness: 3 - level: 4 - dependsOn: - - Conduction of simple threat modeling on technical level - - Creation of threat modeling processes and standards - description: | - **Example High Maturity Scenario:** - - Based on a detailed threat model defined and updated through code, the team decides the following: - - * Local encrypted caches need to expire and auto-purged. - * Communication channels encrypted and authenticated. - * All secrets persisted in shared secrets store. - * Frontend designed with permissions model integration. - * Permissions matrix defined. - * Input is escaped output is encoded appropriately using well established libraries. - - Source: OWASP Project Integration Project - implementation: - - uuid: c0533602-11b7-4838-93cc-a40556398163 - name: Whiteboard - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://en.wikipedia.org/wiki/Whiteboard - - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 - name: Miro (or any other collaborative board) - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://miro.com/ - - uuid: 088794c4-3424-40d4-9084-4151587fc84d - name: Draw.io - tags: - - defender - - threat-modeling - - whiteboard - url: https://github.com/jgraph/drawio-desktop - - uuid: fd0f282b-a065-4464-beed-770c604a5f52 - name: Threat Modeling Playbook - tags: - - owasp - - defender - - threat-modeling - - whiteboard - url: https://github.com/Toreon/threat-model-playbook - - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 - name: OWASP SAMM - tags: - - threat-modeling - - owasp - - defender - url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - - uuid: e8332407-5149-459e-a2fe-c5c78c7ec55c - name: Threagile - tags: - - threat-modeling - url: https://github.com/Threagile/threagile - - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 - name: Threat Matrix for Storage - url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ - tags: - - documentation - - storage - - cluster - - kubernetes - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/ae22dafd-bcd6-41ee-ba01-8b7fe6fc1ad9 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of simple threat modeling on business level: - uuid: 48f97f31-931c-46eb-9b3e-e2fec0cd0426 - risk: Business related threats are discovered too late in the development and - deployment process. - measure: Threat modeling of business functionality is performed during the product - backlog creation to facilitate early detection of security defects. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/48f97f31-931c-46eb-9b3e-e2fec0cd0426 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of simple threat modeling on technical level: - uuid: 47419324-e263-415b-815d-e7161b6b905e - risk: Technical related threats are discovered too late in the development and - deployment process. - measure: Threat modeling of technical features is performed during the product - sprint planning. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: c0533602-11b7-4838-93cc-a40556398163 - name: Whiteboard - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://en.wikipedia.org/wiki/Whiteboard - - uuid: 965c3814-b6df-4ead-a096-1ed78ce1c7c1 - name: Miro (or any other collaborative board) - tags: - - defender - - threat-modeling - - collaboration - - whiteboard - url: https://miro.com/ - - uuid: 088794c4-3424-40d4-9084-4151587fc84d - name: Draw.io - tags: - - defender - - threat-modeling - - whiteboard - url: https://github.com/jgraph/drawio-desktop - - uuid: fd0f282b-a065-4464-beed-770c604a5f52 - name: Threat Modeling Playbook - tags: - - owasp - - defender - - threat-modeling - - whiteboard - url: https://github.com/Toreon/threat-model-playbook - - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 - name: OWASP SAMM - tags: - - threat-modeling - - owasp - - defender - url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - - uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617 - name: Threat Matrix for Storage - url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/ - tags: - - documentation - - storage - - cluster - - kubernetes - description: | - # OWASP SAMM Description - Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. - - Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system. - - At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use. - - Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. - - Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - # OWASP Project Integration Description - There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. - - A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). - - OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). - - There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another. - - > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._ - - ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") - - Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. - - ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") - - This practice has the side effect that it trains non-security specialists to think like attackers. - - The outcomes of this stage should help lay the foundation of secure design and considerations. - - **Example Low Maturity Scenario:** - - Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. - - Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext. - - Frontend serves data over GraphQL as a thin layer between caching system and end user. - - GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. - - Source: OWASP Project Integration Project - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/47419324-e263-415b-815d-e7161b6b905e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Creation of advanced abuse stories: - uuid: 0a929c3e-ab9a-4206-8761-adf84b74622e - risk: Simple user stories are not going deep enough. Relevant security considerations - are performed. Security flaws are discovered too late in the development and - deployment process - measure: Advanced abuse stories are created as part of threat modeling activities. - difficultyOfImplementation: - knowledge: 4 - time: 2 - resources: 1 - usefulness: 4 - level: 5 - dependsOn: - - Creation of simple abuse stories - implementation: - - uuid: bb5b8988-021b-452a-a914-bd36887b6860 - name: Don't Forget EVIL User stories - tags: [] - url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) - and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of project management - - 6.1.5 - - May be part of risk assessment - - 8.1.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of project management - - 5.8 - - May be part of risk assessment - - 5.9 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/0a929c3e-ab9a-4206-8761-adf84b74622e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Creation of simple abuse stories: - uuid: bacf85b6-5bc0-405d-b5ba-a5d971467cc1 - risk: User stories mostly don't consider security implications. Security flaws - are discovered too late in the development and deployment process. - measure: Abuse stories are created during the creation of user stories. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 3 - implementation: - - uuid: bb5b8988-021b-452a-a914-bd36887b6860 - name: Don't Forget EVIL User stories - tags: [] - url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) - and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' - dependsOn: - - Conduction of simple threat modeling on technical level - - Creation of threat modeling processes and standards - references: - samm2: - - D-TA-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of project management - - 6.1.5 - - May be part of risk assessment - - 8.1.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of project management - - 5.8 - - May be part of risk assessment - - 5.9 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/bacf85b6-5bc0-405d-b5ba-a5d971467cc1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Creation of threat modeling processes and standards: - uuid: dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e - risk: Inadequate identification of business and technical risks. - measure: Creation of threat modeling processes and standards through the organization - helps to enhance the security culture and provide more structure to the threat - model exercises. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 2 - usefulness: 3 - level: 3 - description: "" - implementation: - - uuid: fd0f282b-a065-4464-beed-770c604a5f52 - name: Threat Modeling Playbook - tags: - - owasp - - defender - - threat-modeling - - whiteboard - url: https://github.com/Toreon/threat-model-playbook - - uuid: b5eaf710-e05f-49e5-a649-13afde9aeb52 - name: OWASP SAMM - tags: - - threat-modeling - - owasp - - defender - url: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - dependsOn: - - Conduction of simple threat modeling on technical level - references: - samm2: - - D-TA-3-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 8.2.1 - - 14.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - - May be part of risk assessment - - 5.12 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Information security targets are communicated: - uuid: 1b9281b9-48e2-4c01-9ac6-9db9931c4885 - risk: Employees don't know their organizations security targets. Therefore security - is not considered during development and administration as much as it should - be. - measure: Transparent and timely communication of the security targets by senior - management is essential to ensure teams' buy-in and support. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: [] - iso27001-2017: - - 5.1.1 - - 7.2.1 - iso27001-2022: - - 5.1 - - 5.4 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Design/1b9281b9-48e2-4c01-9ac6-9db9931c4885 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Education and Guidance: - Ad-Hoc Security trainings for software developers: - uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - risk: Understanding security is hard and personnel needs to be trained on it. - Otherwise, flaws like an SQL Injection might be introduced into the software - which might get exploited. - measure: Provide security awareness training for all personnel involved in software - development Ad-Hoc. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a - name: OWASP Juice Shop - tags: - - training - url: https://github.com/bkimminich/juice-shop - description: In case you do not have the budget to hire an external security - expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series - tags: - - secure coding - url: https://cheatsheetseries.owasp.org/ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Aligning security in teams: - uuid: f994a55d-71bb-45a4-a887-0a213d72c504 - risk: The concept of Security Champions might suggest that only he/she is responsible - for security. However, everyone in the project team should be responsible - for security. - measure: By aligning security Subject Matter Experts with project teams, a higher - security standard can be achieved. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 1 - usefulness: 5 - implementation: - - uuid: 8a044b74-17f2-4ffa-9dee-6b3bb6e4baf3 - name: Involve Security SME - tags: [] - description: Security SME are involved in discussion for requirements analysis, - software design and sprint planning to provide guidance and suggestions. - level: 4 - references: - samm2: - - G-EG-3-B - iso27001-2017: - - 7.1.1 - iso27001-2022: - - 6.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f994a55d-71bb-45a4-a887-0a213d72c504 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of build-it, break-it, fix-it contests: - uuid: bfdb576e-a416-4ec6-96fe-a078d58b2ff8 - risk: Understanding security is hard, even for security champions and the conduction - of security training often focuses on breaking a component instead of building - a component secure. - measure: The build-it, break-it, fix-it contest allows to train people with - security related roles like security champions the build, break and fix part - of a secure application. This increases the learning of building secure components. - difficultyOfImplementation: - knowledge: 5 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 8d4c1849-f310-4c42-8148-2810b382bc6f - name: Build it Break it Fix it Contest - tags: [] - url: https://builditbreakit.org/ - references: - samm2: - - G-EG-2-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/bfdb576e-a416-4ec6-96fe-a078d58b2ff8 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of collaborative security checks with developers and system administrators: - uuid: 95caef96-36ed-458c-a087-5c35d4f9dec2 - risk: Security checks by external companies do not increase the understanding - of an application/system for internal employees. - measure: Periodically security reviews of source code (SCA), in which security - SME, developers and operations are involved, are effective at increasing the - robustness of software and the security knowledge of the teams involved. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 1 - usefulness: 3 - level: 5 - implementation: [] - references: - samm2: - - G-EG-2-A - iso27001-2017: - - Mutual review of source code is not explicitly required in ISO 27001 may - be - - 7.2.2 - - 12.6.1 - - 12.7.1 - iso27001-2022: - - Mutual review of source code is not explicitly required in ISO 27001 may - be - - 6.3 - - 8.8 - - 8.34 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/95caef96-36ed-458c-a087-5c35d4f9dec2 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of collaborative team security checks: - uuid: 35446784-7610-40d9-af9e-d43f3173bf8c - risk: Development teams limited insight over security practices. - measure: Mutual security testing the security of other teams project enhances - security awareness and knowledge. - difficultyOfImplementation: - resources: 2 - knowledge: 4 - time: 4 - usefulness: 2 - level: 4 - implementation: [] - references: - samm2: - - G-EG-1-A - - G-EG-2-A - iso27001-2017: - - Mutual security testing is not explicitly required in ISO 27001 may be - - 7.2.2 - iso27001-2022: - - Mutual security testing is not explicitly required in ISO 27001 may be - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/35446784-7610-40d9-af9e-d43f3173bf8c - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Conduction of war games: - uuid: 534f60bf-0995-4314-bb9c-f0f2bf204694 - risk: Understanding incident response plans during an incident is hard and ineffective. - measure: War Games like activities help train for incidents. Security SMEs create - attack scenarios in a testing environment enabling the trainees to learn how - to react in case of an incident. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 4 - usefulness: 3 - level: 4 - implementation: [] - references: - samm2: - - G-EG-2-A - iso27001-2017: - - War games are not explicitly required in ISO 27001 may be - - 7.2.2 - - 16.1 - - 16.1.5 - iso27001-2022: - - War games are not explicitly required in ISO 27001 may be - - 6.3 - - 5.24 - - 5.26 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/534f60bf-0995-4314-bb9c-f0f2bf204694 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Each team has a security champion: - uuid: 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 - risk: No one feels directly responsible for security and the security champion - does not have enough time to allocate to each team. - measure: Each team defines an individual to be responsible for security. These - individuals are often referred to as 'security champions' - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - description: | - Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons. - - The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface. - - [Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/) - implementation: - - uuid: c191a515-3c10-4903-a889-70c8021f2ea1 - name: OWASP Security Champions Playbook - tags: - - security champions - url: https://github.com/c0rdis/security-champions-playbook - references: - samm2: - - G-EG-1-B - - G-EG-2-B - iso27001-2017: - - Security champions are missing in ISO 27001 most likely - - 7.2.1 - - 7.2.2 - iso27001-2022: - - Security champions are missing in ISO 27001 most likely - - 5.4 - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Office Hours: - uuid: 185d5a74-19dc-4422-be07-44ea35226783 - risk: Developers and Operations are not in contact with the security team and - therefore do not ask prior implementation of (known or unknown) threats- - measure: As a security team, be open for questions and hints during defined - office hours. x x d - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 3 - level: 3 - implementation: ~ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/185d5a74-19dc-4422-be07-44ea35226783 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Regular security training for all: - uuid: 9768f154-357a-4c06-af6f-d66570677c9b - risk: Understanding security is hard. - measure: Provide security awareness training for all internal personnel involved - in software development on a regular basis like twice in a year for 1-3 days. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 4 - level: 2 - description: | - Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option. - - Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level. - - Training is mandatory for all employees and contractors involved with software development and includes an auditable sign-off to demonstrate compliance. Consider incorporating innovative ways of delivery (such as gamification) to maximize its effectiveness and combat desensitization. - - [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) - implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] - url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series - tags: - - secure coding - url: https://cheatsheetseries.owasp.org/ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/9768f154-357a-4c06-af6f-d66570677c9b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Regular security training for externals: - uuid: 31833d56-35af-4ef3-9300-f23d27646ce7 - risk: Understanding security is hard. - measure: Provide security awareness training for all personnel including externals - involved in software development on a regular basis. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 3 - usefulness: 4 - level: 4 - implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] - url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" - - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba - name: https://cheatsheetseries.owasp.org/ - tags: - - training - - secure coding - url: https://cheatsheetseries.owasp.org/ - references: - samm2: - - G-EG-3-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/31833d56-35af-4ef3-9300-f23d27646ce7 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Regular security training of security champions: - uuid: f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 - risk: Understanding security is hard, even for security champions. - measure: Regular security training of security champions. - assessment: | - - Process Documentation: TODO - - Training Content: TOODO - difficultyOfImplementation: - knowledge: 4 - time: 2 - resources: 2 - usefulness: 5 - level: 2 - implementation: - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series - tags: - - secure coding - url: https://cheatsheetseries.owasp.org/ - dependsOn: - - Each team has a security champion - references: - samm2: - - D-TA-2-B - - G-EG-1-A - iso27001-2017: - - Security champions are missing in ISO 27001 - - 7.2.2 - iso27001-2022: - - Security champions are missing in ISO 27001 - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f88d1b17-3d7d-4c3d-8139-ad44fc4942d4 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Reward of good communication: - uuid: 91b6f75b-9f4a-4d77-95a2-af7ad3222c7c - risk: Employees are not getting excited about security. - measure: Good communication and transparency encourages cross-organizational - support. Gamification of security is also known to help, examples include - T-Shirts, mugs, cups, gift cards and 'High-Fives'. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: 8e1b4a8a-c53b-4b1e-90f6-c60b7e225098 - name: Motivate people - tags: - - security champions - - gamification - - nudging - url: https://github.com/wurstbrot/security-pins - description: |- - Enhance motivation can be performed with the distribution of pins - as a reward, see [OWASP Security Pins Project](https://github.com/wurstbrot/security-pins) - - uuid: 22b63bdb-2003-4ac0-969d-b1e5268c2510 - name: OWASP Top 10 Maturity Categories for Security Champions - tags: - - security champions - url: https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx - references: - samm2: - - G-EG-1-B - iso27001-2017: - - not required by ISO 27001 - - interestingly enough A7.2.3 is requiring a process to handle misconduct - but nothing to promote good behavior. - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/91b6f75b-9f4a-4d77-95a2-af7ad3222c7c - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security Coaching: - uuid: f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 - risk: Training does not change behaviour. Therefore, even if security practices - are understood, it's likely that they are not performed. - measure: By coaching teams on security topics using for example the samman coaching - method, teams internalize security practices as new habits in their development - process. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 1 - usefulness: 3 - implementation: - - uuid: 9223be73-00da-400e-a910-3871734cff2f - name: sammancoaching - tags: - - documentation - - coaching - - education - url: https://sammancoaching.org/ - description: | - Security coaches work with software development teams to help them adopt better security practices. - level: 3 - references: - samm2: - - G-EG-3-B - iso27001-2017: - - 7.1.1 - iso27001-2022: - - 6.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/f7b215dc-73a4-4c61-9e49-b3a3af1c9ac3 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security code review: - uuid: 7121b0c7-6ace-4d6b-95d0-94535dbccb57 - risk: Understanding security is hard. - measure: | - The following areas of code tend to have a high-risk of containing security vulnerabilities: - - Crypto implementations / usage - - Parser, unparser - - System configuration - - Authentication, authorization - - Session management - - Request throttling - - :unicorn: (self-developed code, only used in that one software) - description: | - ### Benefits - - New vulnerabilities may be found before reaching production. - - Old vulnerabilities are found and fixed. - assessment: | - - Present the performed reviews (including participants, findings, consequences) and assess whether it is reasonable. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: c77f7ecd-76de-4611-bd6d-5b249f910c39 - name: CWE Top 25 Most Dangerous Software Weaknesses - tags: - - documentation - - threat - url: https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html - credits: | - AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) - references: - samm2: - - V-ST-1-B - iso27001-2017: - - ISO 27001:2017 mapping is missing - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/7121b0c7-6ace-4d6b-95d0-94535dbccb57 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security consulting on request: - uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 - risk: Not asking a security expert when questions regarding security appear - might lead to flaws. - measure: Security consulting to teams is given on request. The security consultants - can be internal or external. - difficultyOfImplementation: - knowledge: 3 - time: 1 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 - name: OWASP Cheatsheet Series - tags: - - secure coding - url: https://cheatsheetseries.owasp.org/ - references: - samm2: - - G-EG-1-A - iso27001-2017: - - security consulting is missing in ISO 27001 may be - - 6.1.1 - - 6.1.4 - - 6.1.5 - iso27001-2022: - - Security consulting is missing in ISO 27001 may be - - 5.2 - - 5.6 - - 5.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/0b28367b-75a0-4bae-a926-3725c1bf9bb0 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security-Lessoned-Learned: - uuid: 58c46807-fee9-448b-b6dd-8050c464ab52 - risk: After an incident, a similar incident might reoccur. - measure: Running a 'lessons learned' session after an incident helps drive continuous - improvement. Regular meetings with security champions are a good place to - share and discuss lessons learned. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: - - O-IM-3-B - iso27001-2017: - - 16.1.6 - iso27001-2022: - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/58c46807-fee9-448b-b6dd-8050c464ab52 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple mob hacking: - uuid: 535f301a-e8e8-4eda-ad77-a08b035c92de - risk: Understanding security is hard. - measure: | - Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild. - In the session the guild presents a vulnerable application and together you look at possible exploits. - Just like in mob programming there is one driver and several navigators. - description: | - ### Guidelines for your simple mob hacking session - - All exploits happen via the user interface. - - No need for security/hacking tools. - - No need for deep technical or security knowledge. - - Use an insecure training app, e.g., [DVWA](https://dvwa.co.uk/) or [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/). - - Encourage active participation, e.g., use small groups. - - Allow enough time for everyone to run at least one exploit. - - ### Benefits - - The team gets an idea of how exploits can look like and how easy applications can be attacked. - - The team understands functional correct working software can be highly insecure and easy to exploit. - difficultyOfImplementation: - knowledge: 5 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - credits: | - AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) - implementation: - - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a - name: OWASP Juice Shop - tags: - - training - url: https://github.com/bkimminich/juice-shop - description: In case you do not have the budget to hire an external security - expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - - uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529 - name: Damn Vulnerable Web Application - tags: - - training - description: Simple Application with intended vulnerabilities. HTML based. - references: - samm2: - - G-EG-1-A - iso27001-2017: - - 7.2.2 - iso27001-2022: - - 6.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education - and Guidance/535f301a-e8e8-4eda-ad77-a08b035c92de - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Process: - Approval by reviewing any new version: - uuid: 3f63bdbc-c75f-4780-a941-e6ad42e894e1 - risk: An individual might forget to implement security measures to protect source - code or infrastructure components. - measure: On each new version (e.g. Pull Request) of source code or infrastructure - components a security peer review of the changes is performed (two eyes principle) - and approval given by the reviewer. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: [] - iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/3f63bdbc-c75f-4780-a941-e6ad42e894e1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Definition of a change management process: - uuid: b4193d32-3948-47e2-a326-3748c48019a1 - risk: The impact of a change is not controlled because these are not recorded - or documented. - measure: Each change of a system is automatically recorded and adequately logged. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: [] - iso27001-2017: - - 14.2.2 - - 12.1.2 - - 12.4.1 - iso27001-2022: - - 8.32 - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/b4193d32-3948-47e2-a326-3748c48019a1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Definition of simple BCDR practices for critical components: - uuid: c72da779-86cc-45b1-a339-190ce5093171 - description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan - and a process that helps a business to return to normal operations if a disaster - occurs. - risk: If the disaster recovery actions are not clear, you risk slow reaction - and remediation delays. This applies to cyber attacks as well as natural emergencies, - such as a power outage. - measure: By understanding and documenting a business continuity and disaster - recovery (BCDR) plan, the overall availability of systems and applications - is increased. Success factors like responsibilities, Service Level Agreements, - Recovery Point Objectives, Recovery Time Objectives or Failover must be fully - documented and understood by the people involved in the recovery. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 2 - usefulness: 4 - level: 1 - implementation: [] - references: - samm2: [] - iso27001-2017: - - 17.1.1 - iso27001-2022: - - 5.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/c72da779-86cc-45b1-a339-190ce5093171 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Determining the protection requirement: - uuid: 72737130-472c-4984-80f8-9ab2f1c2ed5d - risk: "Not defining the protection requirement of applications can lead to wrong - prioritization, delayed remediation of \ncritical security issues, increasing - the risk of exploitation and potential damage to the organization." - measure: "Defining the protection requirement. \nThe protection requirements - for an application should consider:\n- Processed data criticality\n- Application - accessibility (internal vs. external)\n- Regulatory compliance\n- Other relevant - factors" - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - dependsOn: - - Inventory of production components - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Process/72737130-472c-4984-80f8-9ab2f1c2ed5d - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false -Implementation: - Application Hardening: - App. Hardening Level 1: - uuid: cf819225-30cb-4702-8e32-60225eedc33d - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 1 - * OWASP Mobile Application Security Verification Standard - - in all applications provides a good baseline. Implement 95%-100% of the recommendations. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - dependsOn: - - App. Hardening Level 1 (50%) - description: | - To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jump-start the development process, but also do so securely. - - [...] - - ### Planning aka Requirements Gathering & Analysis - The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. - - ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) - - Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. - - These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. - - In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. - - Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - - uuid: 596cb528-8981-4723-bcc3-22c261f26114 - name: API Security Maturity Model for Authorization - tags: - - api - url: https://curity.io/resources/learn/the-api-security-maturity-model/ - references: - samm2: - - D-SR-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/cf819225-30cb-4702-8e32-60225eedc33d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 1 (50%): - uuid: b597928e-54d6-48a5-a806-8003dcd56aab - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 1 - * OWASP Mobile Application Security Verification Standard - - in all applications provides a good baseline. Implement 50% of the recommendations. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 1 - description: | - To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely. - - [...] - - ### Planning aka Requirements Gathering & Analysis - The Requirements gathering process tries to answer the question: _"What is the system going to do?"_ At this stage, the [SAMM project](https://owaspsamm.org/model/) offers 3 distinct maturity levels covering both [in-house](https://owaspsamm.org/model/design/security-requirements/stream-a/) software development and [third party](https://owaspsamm.org/model/design/security-requirements/stream-b/) supplier security. - - ![SAMM Requirements](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/OWASP-in0.png) - - Organizations can use these to add solid security considerations at the start of the Software Development or Procurement process. - - These general security considerations can be audited by using a subsection of the ASVS controls in section V1 as a questionnaire. This process attempts to ensure that every feature has concrete security considerations. - - In case of internal development and if the organization maps Features to Epics, the [Security Knowledge Framework](https://securityknowledgeframework.org/) can be used to facilitate this process by leveraging its questionnaire function, shown below. - - Source: [OWASP Project Integration](https://raw.githubusercontent.com/OWASP/www-project-integration-standards/master/writeups/owasp_in_sdlc/index.md) - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - - uuid: 596cb528-8981-4723-bcc3-22c261f26114 - name: API Security Maturity Model for Authorization - tags: - - api - url: https://curity.io/resources/learn/the-api-security-maturity-model/ - references: - samm2: - - D-SR-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/b597928e-54d6-48a5-a806-8003dcd56aab - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 2: - uuid: ffe86caf-2fec-4630-b514-2db83983984d - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 2 - * OWASP Mobile Application Security Verification Standard Level 2 - - Implement 95%-100% of the recommendations. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 4 - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - references: - samm2: - - D-SR-2-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/ffe86caf-2fec-4630-b514-2db83983984d - comments: "" - dependsOn: - - App. Hardening Level 2 (75%) - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 2 (75%): - uuid: 03643ca2-03c2-472b-8e19-956bf02fe9b7 - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 2 - * OWASP Mobile Application Security Verification Standard Level 2 - - Implement 75% of the recommendations. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - references: - samm2: - - D-SR-2-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/03643ca2-03c2-472b-8e19-956bf02fe9b7 - comments: "" - dependsOn: - - App. Hardening Level 1 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - App. Hardening Level 3: - uuid: 4cae98c2-4163-44ed-bb88-3c67c569533a - risk: Using an insecure application might lead to a compromised application. - This might lead to total data theft or data modification. - measure: | - Following frameworks like the - * OWASP Application Security Verification Standard Level 3 - * OWASP Mobile Application Security Verification Standard - - Implement 95%-100% of the recommendations. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 2 - usefulness: 4 - level: 5 - implementation: - - uuid: 88767cde-1610-402e-98ec-bc3575377183 - name: OWASP ASVS - tags: [] - url: https://owasp.org/www-project-application-security-verification-standard/ - - uuid: 7bf90650-a53a-4581-a214-1afd5de3a059 - name: OWASP MASVS - tags: [] - url: https://github.com/OWASP/owasp-masvs - references: - samm2: - - D-SR-3-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a - dependsOn: - - App. Hardening Level 2 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Containers are running as non-root: - uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f - risk: |- - There are various reasons to run a container as non-root. Samples are listed: - ## Container Escape Vectors - - - Root privileges significantly increase the chance of breaking container isolation - - Root access can be leveraged to exploit kernel vulnerabilities - - Compromised root containers provide attackers with maximum privileges inside the container - - Greater potential for escaping container boundaries to the host system - - ## Host System Vulnerabilities - - Root containers can potentially: - - - Mount sensitive host filesystems - - Access critical device files - - Modify host network settings - - Interact with host system processes - - Override security controls - - ## Resource Management Issues - - Root privileges may allow containers to: - - - Bypass resource quotas and limits - - Modify control group (cgroup) settings - - Interfere with other containers' resources - - Circumvent memory and CPU restrictions - - Security Boundary Weakening - - - Violates the principle of least privilege - - Provides unnecessary elevated permissions - - Expands the potential attack surface - - Increases the impact of a successful compromise - measure: "Containers are running as non-root. This can be enforced in the image - itself or during runtime parameters \n(e.g. `podman run --user [...]`)." - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Context-aware output encoding: - uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7 - description: "**Input validation** stops malicious data from entering your system. - \\\n**Output encoding** neutralizes malicious data before rendering to user, - or the next system.\n\nInput validation and output encoding work together. - Apply both. \n\n**Context-aware output encoding** encodes data differently, - depending on its context. In the sample below the `{{bad_data}}` must be encoded - differently, depending on its context, to render safe HTML.\n\n```html\n
{{bad_data}}
\nClick me\n\n\n``` \n" - risk: If an attacker manages to slip though your input validation, the attacker - may gain control over the user session or execute arbitrary actions. - measure: "* Use modern secure frameworks such as React/Angular/Vue/Svelte. The - default method here renders data in a safe way.\n* Use established and well-maintained - encoding libraries such as OWASP\u2019s Java Encoder and Microsoft\u2019s - AntiXSS.\n* Implement content security policies (CSP) to restrict the types - of content that can be loaded and executed.\n" - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: 2d61e48f-bade-4332-a383-adc50c29673a - name: OWASP DOM based XSS Prevention CheatSheet - url: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html - tags: [] - - uuid: ae97c9b0-308c-4dab-bff9-bf3330a897dc - name: CWE-838 Inappropriate Encoding for Output Context - tags: - - documentation - - cwe - url: https://cwe.mitre.org/data/definitions/838.html - references: - samm2: - - D-SR-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/e1f37abb-d848-4a3a-b3df-65e91a89dcb7 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Parametrization: - uuid: 00e91a8a-3972-4692-8679-674ab8547486 - description: | - By concatenating strings from user input to build SQL queries, an attacker can manipulate the query to do other unintentional SQL commands as well. - - This is called *SQL injection* but the principle applies to NoSql, and anywhere that your code is building commands that will be executed. - - Pay attention to these two lines of code. They seem similar, but behave very differently. - - * `sql.execute("SELECT * FROM table WHERE ID = " + id);` - * `sql.execute("SELECT * FROM table WHERE ID = ?", id);` - The second line is parameterized. The same principle applies to other types, such as command line execution, etc. - risk: "Systems vulnerable to injections may lead to data breaches, loss of data, - \nunauthorized alteration of data, or complete database compromise or downtime.\n\nThis - applies to SQL, NoSql, LDAP, XPath, email headers OS commands, etc. \n" - measure: | - * Identify which of the types your application is using. Check that you use: - * Use _parametrized queries_ (or _prepared statements_) - * For database queries, you may also use: - * Use _stored procedures_ () - * Use ORM (Object-Relational Mapping) tools that automatically handle input sanitization - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 3 - level: 1 - implementation: - - uuid: d880fa0f-9dbb-454e-a003-d844fad31ab4 - name: OWASP Parameterization CheatSheet - url: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html - tags: [] - references: - samm2: - - D-SR-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - Hardening/00e91a8a-3972-4692-8679-674ab8547486 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Secure headers: - uuid: 29318d60-18ce-4526-80ea-f5928e49f639 - risk: | - Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.: - - Cross-Site Scripting (XSS) due to missing Content Security Policy - - Clickjacking attacks due to missing X-Frame-Options - - Information disclosure through Server header exposure - - SSL/TLS downgrade attacks due to missing HSTS - - Cross-site scripting and injection due to missing security headers - measure: | - Implement and enforce security headers across all applications and services - - Implementation Methods: - 1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level - 2. Web Application: Implement in the application middleware - 3. Service Mesh: Configure at the ingress controller level - 4. Standard Docker Image: Use secure base images with preset headers - - Remove or Secure: - - Server header: Hide server version information - - X-Powered-By: Remove technology stack information - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 3 - implementation: - - uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e - name: OWASP Secure Headers Project - tags: - - header - - documentation - url: https://owasp.org/www-project-secure-headers/ - description: "The OWASP Secure Headers Project (also called OSHP) describes - HTTP response headers that your application can use \nto increase the security - of your application. Once set, these HTTP response headers can restrict - modern browsers \nfrom running into easily preventable vulnerabilities. - The OWASP Secure Headers Project intends to raise awareness\nand use of - these headers." - meta: - implementationGuide: | - Essential headers: - - Content-Security-Policy: Define trusted sources for content - - Strict-Transport-Security: Enforce HTTPS connections - - X-Frame-Options: Prevent clickjacking attacks - - X-Content-Type-Options: Prevent MIME-type sniffing - - X-XSS-Protection: Enable browser's XSS filtering - - Referrer-Policy: Control information in the Referrer header - references: - samm2: - - D-SR-3-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/cre/620-421 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Development and Source Control: - .gitignore: - uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d - risk: Unintended leakage of secrets, debug, or workstation specific data - measure: .gitignore files help prevent accidental commits of secrets, debug, - or workstation specific data - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 5 - level: 4 - dependsOn: [] - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.1 - - 12.1.2 - - 14.2.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/363a3eea-baf9-4010-88ca-bb8186a2989d - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Block force pushes: - uuid: c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 - risk: "Misuse of force push can lead to loss of work. It may overwrite remote - \nbranches without warning, potentially erasing valuable contributions from - team members. This can disrupt collaboration, \ncause data loss, and create - confusion in the development process.\n\nBypassing the pull request process - might remove an important code review step. \nThis increases the risk of merging - low-quality or buggy code into the main branch, potentially introducing bugs - in the codebase." - measure: Mandate blocking of force pushes in the version control platform. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 3 - level: 3 - dependsOn: - - Require a PR before merging - implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 6.1.2 - - 14.2.1 - iso27001-2022: - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/c7d99b18-c3e1-4d22-b2e3-9aa9146c0b17 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Dismiss stale PR approvals: - uuid: ea6f69f7-54a5-4922-ac15-a77ff0c16162 - risk: Intentional or accidental alterations in critical branches like main (or - master) through post-approval code additions. - measure: Implement a policy where any commits made after a pull request has - been approved automatically revoke that approval, necessitating a fresh review - and re-approval process. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 3 - dependsOn: - - Require a PR before merging - implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm - - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 - name: Enforcement of commit signing - tags: - - signing - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule - description: Usage of branch protection rules - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/ea6f69f7-54a5-4922-ac15-a77ff0c16162 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Local development linting & style checks performed: - uuid: 517b0957-4981-4ac0-b4c7-0d8d1934c474 - risk: Insecure or unmaintainable code base. - measure: Integrate static code analysis tools in IDEs. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 2 - level: 5 - description: "" - implementation: - - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe - name: How to enforce a consistent coding style in your projects - url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm - tags: - - ide - - linting - - uuid: aa5ded61-5380-4da6-9474-afc36a397682 - name: In-Depth Linting of Your TypeScript While Coding - url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding - tags: - - ide - - linting - references: - samm2: - - V-ST-1-A - iso27001-2017: - - ISO 27001:2017 mapping is missing - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/517b0957-4981-4ac0-b4c7-0d8d1934c474 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Require a PR before merging: - uuid: e7598ac4-b082-4e56-b7df-e2c6b426a5e2 - risk: Intentional or accidental alterations in critical branches like main (or - master). - measure: Define source code management system policies (e.g. branch protection - rules, mandatory code reviews from at least one person, ...) to ensure that - changes to critical branches are only possible under defined conditions. These - policies can be implemented at repository level or organization level, depending - on the source code management system. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 2 - implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - Peer review - four eyes principle is not explicitly required by ISO 27001 - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/e7598ac4-b082-4e56-b7df-e2c6b426a5e2 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Require status checks to pass: - uuid: ac8730a2-ccc0-465c-9550-d91edae9d5ee - risk: Organizations risk introducing broken builds, quality issues, and security - vulnerabilities into their codebase. - measure: Mandate passing of security related specified status checks, like successful - builds or static application security tests, before proceeding. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 3 - dependsOn: - - Require a PR before merging - implementation: - - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a - name: Improve code quality with branch policies - url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops - tags: - - source-code-protection - - scm - - uuid: 99211481-de9c-4358-880e-628366416a27 - name: About protected branches - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches - tags: - - source-code-protection - - scm - - uuid: 86c6bdba-73c0-4c99-bbda-81b85c9fe2a4 - name: Enforcement of commit signing - tags: - - signing - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule - description: Usage of branch protection rules - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 6.1.2 - - 14.2.1 - iso27001-2022: - - 5.3 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/ac8730a2-ccc0-465c-9550-d91edae9d5ee - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Versioning: - uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f - risk: Deployment of untracked artifacts. - measure: Version artifacts in order to identify deployed features and issues. - This includes application and infrastructure code, jenkins configuration, - container and virtual machine images. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 5 - level: 1 - dependsOn: - - Defined deployment process - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.1 - - 12.1.2 - - 14.2.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Development - and Source Control/066084c6-1135-4635-9cc5-9e75c7c5459f - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Infrastructure Hardening: - Applications are running in virtualized environments: - uuid: 3a94d55e-fd82-4996-9eb3-20d23ff2a873 - risk: Through a vulnerability in one service on a server, the attacker gains - access to other services running on the same server. - measure: Applications are running in a dedicated and isolated virtualized environments. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 3 - level: 2 - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/3a94d55e-fd82-4996-9eb3-20d23ff2a873 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Backup: - uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc - risk: If errors are experienced during the deployment process you want to deploy - an old release. However, due to changes in the database this is often unfeasible. - measure: Performing automated periodical backups are used. Backup before deployment - can help facilitate deployments whilst testing the backup restore processes. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: - - uuid: ba7348e5-1abf-4c7d-8fbc-49f99460930b - name: A complete backup of persisted data might be performed*. - tags: [] - - uuid: 9af7624e-0729-4eeb-b257-ebaf65f70355 - name: A Point in Time Recovery for databases should be implemented. - tags: [] - dependsOn: - - Defined deployment process - references: - samm2: - - TODO - iso27001-2017: - - 12.3 - - 14.2.6 - iso27001-2022: - - 8.13 - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/5c61fd6b-8106-4c68-ac28-a8a42f1c67dc - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Baseline Hardening of the environment: - uuid: 5992c38c-8597-4035-89db-d15820d81c3a - risk: Using default configurations for a cluster environment leads to potential - risks. - measure: Harden environments according to best practices. Level 1 and partially - level 2 from hardening practices like 'CIS Kubernetes Bench for Security' - should be considered. - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 2 - usefulness: 4 - level: 2 - implementation: - - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff - name: CIS Kubernetes Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f - name: CIS Docker Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef - name: For example for Cont - tags: [] - description: 'For example for Containers: Deny running containers as root, - deny using advanced privileges, deny mounting of the hole filesystem, ...' - url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ - - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b - name: Attack Matrix Cloud - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ - description: Attack matrix for cloud - - uuid: 59881520-4c69-4922-a44e-99044a77de2b - name: Attack Matrix Containers - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ - description: Attack matrix for containers - - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 - name: Attack Matrix Kubernetes - tags: - - mitre - url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - description: Attack matrix for kubernetes - - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af - name: Defend the core kubernetes security at every layer - url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ - tags: - - documentation - - cluster - - kubernetes - references: - samm2: - - O-EM-1-A - iso27001-2017: - - system hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/5992c38c-8597-4035-89db-d15820d81c3a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Filter outgoing traffic: - uuid: 6df508ef-86fc-4c22-bd9f-646c3127ce7d - risk: A compromised infrastructure component might try to send out stolen data. - measure: Having a whitelist and explicitly allowing egress traffic provides - the ability to stop unauthorized data leakage. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 2 - level: 3 - dependsOn: [] - implementation: - - uuid: 4a024319-4510-4a53-a8b6-8f35b6c01867 - name: Open Policy Agent - tags: [] - url: https://www.openpolicyagent.org/ - - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 - name: firewalls - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/6df508ef-86fc-4c22-bd9f-646c3127ce7d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Hardening of the Environment: - uuid: dcf9601b-b4f2-4e25-9143-e39af75f7c33 - risk: Using default configurations for a cluster environment leads to potential - risks. - measure: Harden environments according to best practices. Level 2 and partially - level 3 from hardening practices like 'CIS Kubernetes Bench for Security' - should be considered. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 2 - usefulness: 3 - level: 4 - implementation: - - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff - name: CIS Kubernetes Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f - name: CIS Docker Bench for Security - tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ - - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef - name: For example for Cont - tags: [] - description: 'For example for Containers: Deny running containers as root, - deny using advanced privileges, deny mounting of the hole filesystem, ...' - url: https://d3fend.mitre.org/technique/d3f:ExecutionIsolation/ - - uuid: 3b7df373-2ad9-456e-9abe-439cdc9d4d8b - name: Attack Matrix Cloud - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ - description: Attack matrix for cloud - - uuid: 59881520-4c69-4922-a44e-99044a77de2b - name: Attack Matrix Containers - tags: - - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ - description: Attack matrix for containers - - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 - name: Attack Matrix Kubernetes - tags: - - mitre - url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - description: Attack matrix for kubernetes - - uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af - name: Defend the core kubernetes security at every layer - url: https://thenewstack.io/defend-the-core-kubernetes-security-at-every-layer/ - tags: - - documentation - - cluster - - kubernetes - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/dcf9601b-b4f2-4e25-9143-e39af75f7c33 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Immutable infrastructure: - uuid: 48e92bb1-fdba-40e8-b6c2-35de0d431833 - risk: The availability of IT systems might be disturbed due to components failures - measure: Redundancies in the IT systems - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - dependsOn: - - Infrastructure as Code - implementation: - - uuid: b206481f-9c66-45e2-843c-37c5730580cd - name: Remove direct access to infrastructure - tags: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 17.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/48e92bb1-fdba-40e8-b6c2-35de0d431833 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Infrastructure as Code: - uuid: 8b994601-575e-4ea5-b228-accb18c8e514 - risk: No tracking of changes in systems might lead to errors in the configuration. - In additions, it might lead to unauthorized changes. An examples is jenkins. - measure: Systems are setup by code. A full environment can be provisioned. In - addition, software like Jenkins 2 can be setup and configured in in code too. - The code should be stored in a version control system. - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 4 - usefulness: 4 - level: 3 - implementation: - - uuid: b0931397-2402-44f1-814b-63292ab4a339 - name: GitOps - tags: [] - url: https://www.redhat.com/en/topics/devops/what-is-gitops - - uuid: 73747d35-2185-4f22-94a0-723288fa283c - name: Ansible - tags: [] - url: https://github.com/ansible/ansible - - uuid: 691c443f-b6e2-498d-94dc-778d8d51cfce - name: Chef - tags: [] - url: https://github.com/chef/chef - - uuid: eb7f76a8-87e5-4394-af4c-c09487c85982 - name: Puppet - tags: [] - url: https://github.com/puppetlabs/puppet - - uuid: 321dcfe4-d2fc-4dd2-85bf-aac563958458 - name: Jenkinsfile - tags: [] - url: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.1 - - 12.1.2 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.37 - - 8.32 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/8b994601-575e-4ea5-b228-accb18c8e514 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Isolated networks for virtual environments: - uuid: 4ce24abd-8ba6-494c-828d-4d193e28e4a1 - risk: Virtual environments in default settings are able to access other virtual - environments on the network stack. By using virtual machines, it is often - possible to connect to other virtual machines. By using docker, one bridge - is used by default so that all containers on one host can communicate with - each other. - measure: The communication between virtual environments is controlled and regulated. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 5 - level: 2 - dependsOn: [] - implementation: - - uuid: 9429d52c-203d-49ae-814f-1401210887cd - name: istio - tags: [] - url: https://istio.io/ - - uuid: fc0eda30-2bf7-466f-948e-e17584db9f30 - name: bridges - tags: [] - - uuid: e3c6fb92-3f7d-471f-9308-c62359f4f1b7 - name: firewalls - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:Firewall/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/4ce24abd-8ba6-494c-828d-4d193e28e4a1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Limitation of system events: - uuid: e5386abf-9154-4752-a1a8-c3a8900f732d - risk: System events (system calls) can lead to privilege escalation. - measure: System calls are limited. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 5 - level: 3 - dependsOn: - - Audit of system events - implementation: - - uuid: 0cc7e68b-f7d9-4e66-8065-47d076129ffd - name: seccomp - tags: [] - url: https://man7.org/linux/man-pages/man2/seccomp.2.html - - uuid: 73ab2e3d-11a7-459d-8b57-9337662bd1ff - name: strace - tags: [] - url: https://man7.org/linux/man-pages/man1/strace.1.html - - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 - name: Falco - tags: - - falco - - systemcall - - monitoring - url: https://github.com/falcosecurity/falco - description: | - Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. - references: - samm2: - - O-EM-1-A - iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/e5386abf-9154-4752-a1a8-c3a8900f732d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - MFA: - uuid: 598e9f13-1ac8-4a01-b85e-8fab93ee81de - risk: One factor authentication is more vulnerable to brute force attacks and - is considered less secure. - measure: Two ore more factor authentication for all accounts on all (important) - systems and applications - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 2 - dependsOn: - - MFA for admins - implementation: - - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 - name: Smartcard - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 - name: YubiKey - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 - name: SMS - tags: [] - - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d - name: TOTP - tags: [] - url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 9.2.4 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - 5.17 - - 5.3 - - 8.25 - d3f: - - Multi-factorAuthentication - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/598e9f13-1ac8-4a01-b85e-8fab93ee81de - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - MFA for admins: - uuid: 8098e416-e1ed-4ae4-a561-83efbe76bf57 - risk: One factor authentication is more vulnerable to brute force attacks and - is considered less secure. - measure: Two ore more factor authentication for all privileged accounts on systems - and applications - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 4 - level: 1 - implementation: - - uuid: e76a395a-8d6a-4e25-a175-6cf25409b755 - name: Smartcard - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 - name: YubiKey - tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ - - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 - name: SMS - tags: [] - - uuid: f69f5d03-691f-4e14-8fbc-ad66e2e5a12d - name: TOTP - tags: [] - url: https://d3fend.mitre.org/technique/d3f:One-timePassword/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 9.2.4 - - 6.1.2 - - 14.2.1 - iso27001-2022: - - 5.17 - - 5.3 - - 8.25 - d3f: - - Multi-factorAuthentication - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/8098e416-e1ed-4ae4-a561-83efbe76bf57 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Microservice-architecture: - uuid: 118b869b-3850-456e-98d9-1abdb85cbc5a - risk: Monolithic applications are hard to test. - measure: A microservice-architecture helps to have small components, which are - more easy to test. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 5 - usefulness: 1 - level: 5 - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/118b869b-3850-456e-98d9-1abdb85cbc5a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Production near environments are used by developers: - uuid: e14de741-94b3-447c-8b07-eea947d82e61 - risk: In case an errors occurs in production, the developer need to be able - to create a production near environment on a local development environment. - measure: Usage of infrastructure as code helps to create a production near environment. - The developer needs to be trained in order to setup a local development environment. - In addition, it should be possible to create production like test data. Often - personal identifiable information is anonymized in order to comply with data - protection laws. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 4 - level: 4 - dependsOn: - - Defined deployment process - - Infrastructure as Code - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 12.1.4 - - 17.2.1 - iso27001-2022: - - 8.31 - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/e14de741-94b3-447c-8b07-eea947d82e61 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Role based authentication and authorization: - uuid: 070bb14b-e04a-4f3d-896a-a08eba7a35f9 - risk: Everyone is able to get unauthorized access to information on systems - or to modify information unauthorized on systems. - measure: The usage of a (role based) access control helps to restrict system - access to authorized users. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 04edc63e-d389-48dd-b365-552aaf4ea004 - name: Directory Service - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:DirectoryService/ - - uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e - name: Plugins - tags: [] - dependsOn: - - Defined deployment process - - Defined build process - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 9.4.1 - iso27001-2022: - - 8.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/070bb14b-e04a-4f3d-896a-a08eba7a35f9 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple access control for systems: - uuid: 82e499d1-f463-4a4b-be90-68812a874af6 - risk: Attackers a gaining access to internal systems and application interfaces - measure: All internal systems are using simple authentication - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 5 - level: 1 - dependsOn: - - Defined deployment process - implementation: - - uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9 - name: HTTP-Basic Authentication - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/ - - uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e - name: VPN - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/ - references: - samm2: - - O-EM-1-A - iso27001-2017: - - 9.4.1 - iso27001-2022: - - 8.3 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/82e499d1-f463-4a4b-be90-68812a874af6 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of a chaos monkey: - uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe - risk: Due to manual changes on a system, they are not replaceable anymore. In - case of a crash it might happen that a planned redundant system is unavailable. - In addition, it is hard to replay manual changes. - measure: A randomized periodically shutdown of systems makes sure, that nobody - will perform manual changes to a system. - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 5 - usefulness: 3 - level: 4 - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 17.1.3 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f8e80f18-2503-4e3e-b3bc-7f67bb28defe - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of an security account: - uuid: 746025a6-dbfb-4087-a000-e46acab64ee1 - risk: Having security auditing in the same account as infrastructure and applications - at the cloud provide might cause evil administrators (or threat actors taking - over an account of an administrator) to alter evidence like audit logs. - measure: Usage of a separate account dedicated for security activities. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 3 - usefulness: 4 - level: 2 - implementation: "" - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 10.1 - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/746025a6-dbfb-4087-a000-e46acab64ee1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of edge encryption at transit: - uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629 - risk: Evil actors might be able to perform a man in the middle attack and sniff - confidential information (e.g. authentication factors like passwords). - measure: |- - By using encryption at the edge of traffic in transit, it is impossible - or at least harder to sniff credentials or information being outside of the organization. - - Using standard secure protocols like HTTPS is recommended. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 1 - implementation: "" - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 10.1 - iso27001-2022: - - 8.24 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/ad23be9c-5661-4f1f-81a3-5a5dc7061629 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of encryption at rest: - uuid: 0ff45fb8-7eef-46ed-9b3a-84c955cd7060 - risk: Evil actors might be able to access data and read information, e.g. from - physical hard disks. - measure: By using encryption at rest, it is impossible or at least harder to - to read information. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: "" - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 10.1 - iso27001-2022: - - 8.24 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/0ff45fb8-7eef-46ed-9b3a-84c955cd7060 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of internal encryption at transit: - uuid: ecb0184c-6bc9-45da-bbbb-a983797ffc93 - risk: Evil actors within the organization of traffic in transit might be able - to perform a man in the middle attack and sniff confidential information (e.g. - authentication factors like passwords) - measure: By using encryption internally, e.g. inside of a cluster, it is impossible - or at least harder to sniff credentials. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 3 - usefulness: 4 - level: 3 - implementation: "" - references: - samm2: - - I-SD-2-B - iso27001-2017: - - 10.1 - iso27001-2022: - - 8.24 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/ecb0184c-6bc9-45da-bbbb-a983797ffc93 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of security by default for components: - uuid: 11b3848e-e931-4146-a35d-35409ada24ee - risk: Components (images, libraries, applications) are not hardened. - measure: Hardening of components is important, specially for image on which - other teams base on. Hardening should be performed on the operation system - and on the services inside (e.g. Nginx or a Java-Application). - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: d7fb1f5a-05e3-49f7-ae67-00bfb8f8410c - name: 'For applications: Check default encoding' - tags: [] - - uuid: 7e744f11-976e-46b6-88d4-f39b2965dfaf - name: managing secrets - tags: [] - url: https://d3fend.mitre.org/technique/d3f:CredentialHardening/ - - uuid: 520517ef-2911-4efc-8e1b-dcc9389aca45 - name: crypto - tags: [] - - uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339 - name: authentication - tags: [] - url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/ - dependsOn: - - Defined build process - references: - samm2: - - O-EM-1-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/11b3848e-e931-4146-a35d-35409ada24ee - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of test and production environments: - uuid: bfdacb52-1e3f-431d-ae72-d844a5e86415 - risk: Security tests are not running regularly because test environments are - missing - measure: A test and a production like environment is used - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 4 - level: 2 - dependsOn: - - Defined deployment process - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.4 - - 17.2.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.31 - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/bfdacb52-1e3f-431d-ae72-d844a5e86415 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Virtual environments are limited: - uuid: 760f1056-b0ee-4f22-a35b-f65446f944ca - risk: Denial of service (internally by an attacker or unintentionally by a bug) - on one service effects other services - measure: All virtual environments are using resource limits on hard disks, memory - and CPU - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 3 - usefulness: 3 - level: 2 - dependsOn: - - Applications are running in virtualized environments - implementation: [] - references: - samm2: - - O-EM-1-A - iso27001-2017: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 12.1.3 - - 13.1.3 - - 17.2.1 - iso27001-2022: - - Virtual environments are not explicitly covered by ISO 27001 - too specific - - 8.6 - - 8.22 - - 8.14 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/760f1056-b0ee-4f22-a35b-f65446f944ca - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - WAF Advanced: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced - risk: The presence of sophisticated threats necessitates a robust defense strategy - where application inputs are meticulously scrutinized for security breaches, - including advanced persistent threats and zero-day vulnerabilities. - measure: An advanced WAF protection level includes rigorous input validation, - rejecting any parameters not explicitly required, and custom rule sets that - are dynamically updated in response to emerging threats. - description: | - The advanced WAF setup is designed to ensure all data is in the correct format and any superfluous input parameters are automatically rejected. It includes machine learning algorithms to detect anomalies, custom-developed rules for real-time traffic analysis, and seamless integration with existing security infrastructures to adapt to the ever-changing threat landscape. - difficultyOfImplementation: - knowledge: 5 - time: 5 - resources: 5 - usefulness: 4 - level: 5 - dependsOn: - - WAF medium - implementation: [] - references: - samm2: - - D-SR-3-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-advanced - comments: ~ - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - WAF baseline: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b - risk: Vulnerable input, such as exploits, can infiltrate the application via - numerous entry points, posing a significant security threat. - measure: Implementing a web application firewall (WAF) is a critical security - control. At a baseline level, the objective is to finely balance the reduction - of false positives, maintaining user experience, against a potential increase - in the less noticeable false negatives. - description: | - Begin with the WAF in a monitoring state to understand the traffic and threats. Progressively enforce blocking actions based on intelligence gathered, ensuring minimal disruption to legitimate traffic. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 3 - usefulness: 3 - level: 3 - dependsOn: - - Context-aware output encoding - implementation: [] - references: - samm2: - - D-SR-3-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b - comments: ~ - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - WAF medium: - uuid: f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium - risk: The threat from malicious inputs remains high, with exploits seeking to - exploit any vulnerabilities present at the various points of entry to the - application. - measure: A WAF deployed with a medium level of protection strengthens the security - posture by striking a more advanced balance between the detection of genuine - threats and the minimization of false alarms. - description: | - Maintain the WAF in alert mode initially to ensure a comprehensive understanding of potential threats. With a medium-level configuration, the WAF settings are refined for greater precision in threat detection, with a stronger emphasis on security without significantly impacting legitimate traffic. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 4 - usefulness: 3 - level: 4 - dependsOn: - - WAF baseline - implementation: [] - references: - samm2: - - D-SR-3-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Infrastructure - Hardening/f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium - comments: ~ - tags: - - none - teamsImplemented: - Default: false - B: false - C: false -Information Gathering: - Logging: - Centralized application logging: - uuid: fe875e17-ae4a-45f8-a359-244aa4fcbc04 - risk: Local stored logs can be unauthorized manipulated by attackers with system - access or might be corrupt after an incident. In addition, it is hard to perform - an correlation of logs. This leads attacks, which can be performed silently. - measure: A centralized logging system is used and applications logs (including - application exceptions) are shipped to it. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 5 - level: 3 - dependsOn: - - Alerting - implementation: [] - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/fe875e17-ae4a-45f8-a359-244aa4fcbc04 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Centralized system logging: - uuid: 4eced38a-7904-4c45-adb0-50b663065540 - risk: Local stored system logs can be unauthorized manipulated by attackers - or might be corrupt after an incident. In addition, it is hard to perform - a aggregation of logs. - measure: By using centralized logging logs are protected against unauthorized - modification. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 2 - level: 1 - implementation: - - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 - name: rsyslog - url: https://www.rsyslog.com/ - tags: - - tool - - logging - - uuid: 7a8fad2e-d642-4972-8501-74591b23feab - name: logstash - url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html - tags: - - tool - - logging - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/4eced38a-7904-4c45-adb0-50b663065540 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Correlation of security events: - uuid: ccf4561d-253f-4762-adcb-bc4622fd6fc5 - risk: Detection of security related events with hints on different systems/tools/metrics - is not possible. - measure: Events are correlated on one system. For example the correlation and - visualization of failed login attempts combined with successful login attempts. - difficultyOfImplementation: - knowledge: 4 - time: 4 - resources: 4 - usefulness: 3 - level: 5 - dependsOn: - - Visualized logging - - Alerting - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccf4561d-253f-4762-adcb-bc4622fd6fc5 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Logging of security events: - uuid: ccfdd0a8-991e-4269-ad77-c0a54ca655cb - description: | - Implement logging of security relevant events. The following events tend to be security relevant: - - successful/failed login/logout - - creation, change, and deletion of users - - errors during input validation and output creation - - exceptions and errors with security in their name - - transactions of value (e.g., financial transactions, costly operations) - - :unicorn: (special things of your application) - measure: Security-relevant events like login/logout or creation, change, deletion - of users should be logged. - assessment: | - - Show which events are logged. - - Show a test for one event logging. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 4 - level: 2 - credits: | - [AppSecure-nrw](https://github.com/AppSecure-nrw/security-belts/blob/master/orange/logging-of-security-events.md) - implementation: - - uuid: 7a8fad2e-d642-4972-8501-74591b23feab - name: logstash - url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html - tags: - - tool - - logging - - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 - name: fluentd - tags: - - tool - url: https://www.fluentd.org/ - - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 - name: bash - tags: - - tool - url: https://www.gnu.org/software/bash/ - - uuid: 5a5c7d99-41e8-454a-86ae-a638c9787d8c - name: OWASP Logging CheatSheet - url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html - tags: - - logging - - documentation - references: - samm2: - - O-IM-1-A - iso27001-2017: - - 12.4.1 - iso27001-2022: - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/ccfdd0a8-991e-4269-ad77-c0a54ca655cb - risk: |- - * No track of security-relevant events makes it harder to analyze an incident. - * Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal. - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - PII logging concept: - uuid: 613a73dc-4f60-49db-a6ce-4fb7bf8519f9 - risk: Personal identifiable information (PII) is logged and the privacy law - (e.g. General Data Protection Regulation) is not followed. - measure: A concept how to log PII is documented and applied. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 - name: rsyslog - url: https://www.rsyslog.com/ - tags: - - tool - - logging - - uuid: 7a8fad2e-d642-4972-8501-74591b23feab - name: logstash - url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html - tags: - - tool - - logging - - uuid: f5da3a20-ab64-4ecf-b4e1-660c80036e45 - name: fluentd - tags: - - tool - url: https://www.fluentd.org/ - - uuid: 6226f8bc-2f6e-45c2-9232-98d2027e4531 - name: bash - tags: - - tool - url: https://www.gnu.org/software/bash/ - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - - 18.1.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - - 5.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/613a73dc-4f60-49db-a6ce-4fb7bf8519f9 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Visualized logging: - uuid: 7c735089-6a83-419f-8b27-c1e676cedea1 - risk: System and application protocols are not visualized properly which leads - to no or very limited logging assessment. Specially developers might have - difficulty to read applications logs with unusually tools like the Linux tool - 'cat' - measure: Protocols are visualized in a simple to use real time monitoring system. - The GUI gives the ability to search for special attributes in the protocol. - difficultyOfImplementation: - knowledge: 1 - time: 3 - resources: 3 - usefulness: 4 - level: 2 - dependsOn: - - Centralized system logging - - Centralized application logging - implementation: - - uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3 - name: ELK-Stack - tags: [] - url: https://www.elastic.co/elk-stack - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.4.1 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Logging/7c735089-6a83-419f-8b27-c1e676cedea1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Monitoring: - Advanced app. metrics: - uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf - risk: People are not looking into tests results. Vulnerabilities not recolonized, - even they are detected by tools. - measure: All defects from the dimension Test- and Verification are instrumented. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 2 - usefulness: 4 - level: 4 - dependsOn: - - Simple application metrics - - Visualized metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d03bc410-74a7-4e92-82cb-d01a020cb6bf - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Advanced availability and stability metrics: - uuid: ed715b38-c34b-40cd-83fd-ce807f306fc1 - risk: Trends and advanced attacks are not detected. - measure: Advanced metrics are gathered in relation to availability and stability. - For example unplanned downtime's per year. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 2 - usefulness: 4 - level: 3 - dependsOn: - - Simple application metrics - - Visualized metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ed715b38-c34b-40cd-83fd-ce807f306fc1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Alerting: - uuid: 8a442d8e-0eb1-4793-a513-571aef982edd - risk: Incidents are discovered after they happened. - measure: | - Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically. - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 5 - usefulness: 5 - level: 2 - dependsOn: - - Visualized metrics - implementation: [] - references: - samm2: - - I-DM-A 3 - iso27001-2017: - - 16.1.2 - - 16.1.4 - - 12.1.4 - iso27001-2022: - - 6.8 - - 5.25 - - 8.31 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8a442d8e-0eb1-4793-a513-571aef982edd - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Audit of system events: - uuid: 1cd5e4b8-be36-4726-adc7-d8f843f47ac8 - risk: System events (system calls) trends and attacks are not detected. - measure: Gathering of system calls. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 3 - dependsOn: - - Visualized metrics - implementation: - - uuid: 32b64e6e-5187-45e3-b4f3-f5f9a9739012 - name: Falco - tags: - - falco - - systemcall - - monitoring - url: https://github.com/falcosecurity/falco - description: | - Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/1cd5e4b8-be36-4726-adc7-d8f843f47ac8 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage and control metrics: - uuid: d0d681e7-d6de-4829-ac64-a9eb2546aa0d - risk: The effectiveness of configuration, patch and vulnerability management - is unknown. - measure: "Usage of Coverage- and control-metrics to show the effectiveness of - the security program. Coverage is the degree in \n which a specific - security control for a specific target group is applied with all resources.\n - \ The control degree shows the actual application of security standards - and security-guidelines. Examples are gathering information on anti-virus, - anti-rootkits, patch management, server configuration and vulnerability management." - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 2 - usefulness: 4 - level: 4 - dependsOn: - - Visualized metrics - implementation: - - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d - name: https://ht.transpare - tags: [] - url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD - description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf - references: - samm2: - - O-IM-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d0d681e7-d6de-4829-ac64-a9eb2546aa0d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Deactivation of unused metrics: - uuid: 7f36b9ba-bc05-4fd6-9a2a-73344c249722 - risk: High resources are used while gathering unused metrics. - measure: Deactivation of unused metrics helps to free resources. - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 5 - usefulness: 5 - level: 3 - dependsOn: - - Visualized metrics - implementation: [] - references: - samm2: - - O-IM-1-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.3 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/7f36b9ba-bc05-4fd6-9a2a-73344c249722 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Defense metrics: - uuid: e808028c-351c-42f1-bcd9-fba738d1fc55 - risk: IDS/IPS systems like packet- or application-firewalls detect and prevent - attacks. It is not known how many attacks has been detected and blocked. - measure: | - Gathering of defense metrics like TCP/UDP sources enables to assume the geographic location of the request. - Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered. - difficultyOfImplementation: - knowledge: 3 - time: 5 - resources: 2 - usefulness: 4 - level: 4 - dependsOn: - - Visualized metrics - - Filter outgoing traffic - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.4.1 - - 13.1.1 - iso27001-2022: - - 8.15 - - 8.2 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e808028c-351c-42f1-bcd9-fba738d1fc55 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Grouping of metrics: - uuid: 42170a71-d4c8-47af-bd71-bf36875fd05b - risk: The analysis of metrics takes long. - measure: Meaningful grouping of metrics helps to speed up analysis. - difficultyOfImplementation: - knowledge: 2 - time: 4 - resources: 2 - usefulness: 2 - level: 3 - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 12.1.3 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/42170a71-d4c8-47af-bd71-bf36875fd05b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Metrics are combined with tests: - uuid: 71699daf-b2a4-466b-a0b2-89f7dbb18506 - risk: Changes might cause high load due to programming errors. - measure: Metrics during tests helps to identify programming errors. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 2 - usefulness: 5 - level: 5 - dependsOn: - - Grouping of metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/71699daf-b2a4-466b-a0b2-89f7dbb18506 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Monitoring of costs: - uuid: 10e23a8c-22ff-4487-a706-87ccc9d0798e - risk: Not monitoring costs might lead to unexpected high resource consumption - and a high invoice. - measure: Implement cost budgets. Setting of an alert threshold and sending out - errors when it is reached. In the best case, a second threshold with a limit - is set so that the cost can not go higher. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: - - Simple application metrics - - Simple system metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/10e23a8c-22ff-4487-a706-87ccc9d0798e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Screens with metric visualization: - uuid: 8746647c-638c-473f-8e17-82c068e4c311 - risk: Security related information is discovered too late during an incident. - measure: By having an internal accessible screen with a security related dashboards - helps to visualize incidents. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 5 - level: 4 - dependsOn: - - Grouping of metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.26 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/8746647c-638c-473f-8e17-82c068e4c311 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple application metrics: - uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 - risk: Attacks on an application are not recognized. - measure: |- - Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: - - Authentication attempts (successful/failed logins) - - Transaction volumes and patterns (e.g. orders, payments) - - API call rates and response times - - User session metrics - - Resource utilization - - Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either: - - A legitimate event (unannounced marketing campaign, viral social media post) - - A security incident (automated bulk purchase bots, credential stuffing attack) - - By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 5 - level: 1 - implementation: - - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c - name: Prometheus - tags: [] - url: https://prometheus.io/ - references: - samm2: - - O-IM-1-A - iso27001-2017: - - 12.4.1 - iso27001-2022: - - 8.15 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/e9a6d403-a467-445e-b98a-74f0c29da0b1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple budget metrics: - uuid: f08a3219-6941-43ec-8762-4aff739f4664 - risk: Not getting notified about reaching the end of the budget (e.g. due to - a denial of service) creates unexpected costs. - measure: Cloud providers often provide insight into budgets. A threshold and - alarming for the budget is set. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 5 - level: 1 - implementation: - - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 - name: collected - tags: [] - references: - samm2: - - O-IM-1-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/f08a3219-6941-43ec-8762-4aff739f4664 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple system metrics: - uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 - risk: Without simple metrics analysis of incidents are hard. In case an application - uses a lot of CPU from time to time, it is hard for a developer to find out - the source with Linux commands. - measure: Gathering of system metrics helps to identify incidents and specially - bottlenecks like in CPU usage, memory usage and hard disk usage. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 5 - assessment: | - Are system metrics gathered? - level: 1 - implementation: - - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 - name: collected - tags: [] - references: - samm2: - - O-IM-1-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/3d1f4c3b-f713-46d9-933a-54a014a26c03 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Targeted alerting: - uuid: d6f06ae8-401a-4f44-85df-1079247fa030 - risk: People are bored (ignorant) of incident alarm messages, as they are not - responsible to react. - measure: By the definition of target groups for incidents people are only getting - alarms for incidents they are in charge for. - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 5 - usefulness: 5 - level: 3 - dependsOn: - - Alerting - implementation: [] - references: - samm2: - - I-DM-A 3 - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.26 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/d6f06ae8-401a-4f44-85df-1079247fa030 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Visualized metrics: - uuid: ded39bcf-4eaa-4c5f-9c94-09acde0a4734 - risk: Not visualized metrics lead to restricted usage of metrics. - measure: Metrics are visualized in real time in a user friendly way. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: - - Simple application metrics - - Simple system metrics - implementation: [] - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 12.1.3 - iso27001-2022: - - 8.6 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Monitoring/ded39bcf-4eaa-4c5f-9c94-09acde0a4734 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test KPI: - Fix rate per repo/product: - uuid: cf0d600e-114d-4887-9059-d81c53805f0d - risk: "Not communicating how many applications are adhering to SLAs based on - the criticality of vulnerabilities can lead to delayed remediation of \ncritical - security issues, increasing the risk of exploitation and potential damage - to the organization." - measure: "Measurement and communication of the number of vulnerabilities handled - per severity level for components such as applications, ensuring alignment - with SLAs. \nThe rate should be broken down by team, product, application, - repository, and/or service. This analysis should be conducted at least quarterly." - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/cf0d600e-114d-4887-9059-d81c53805f0d - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Generation of response statistics: - uuid: c922981b-65ed-40f3-a947-96fee9a0125f - risk: No or delayed reaction to findings leads to potential exploitation of - findings. - measure: Creation and response statistics (e.g. Mean Time to Resolution) of - findings. This is also referred to as _Mean Time to Resolve_. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - dependsOn: - - Usage of a vulnerability management system - level: 3 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/c922981b-65ed-40f3-a947-96fee9a0125f - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - comments: The [DefectDojo-Client](https://github.com/SDA-SE/defectdojo-client/tree/master/statistic-client) - generates statistics from OWASP DefectDojo and places the results in a [Github - repository](https://github.com/pagel-pro/cluster-image-scanner-all-results). - teamsImplemented: - Default: false - B: false - C: false - Number of vulnerabilities/severity: - uuid: bc548cba-cb82-4f76-bd4b-325d9d256279 - risk: Failing to convey the number of vulnerabilities by severity might undermine - the effectiveness of product teams. This might lead to ignorance of findings. - measure: Measurement and communication of vulnerabilities per severity for components - like applications. At least quarterly. - description: |- - Communication can be performed in a simple way, e.g. text based during the build process. - This activity depends on at least one security testing implementation. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: [] - implementation: [] - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/bc548cba-cb82-4f76-bd4b-325d9d256279 - tags: - - vulnerability-mgmt - - metrics - - vmm-measurement - teamsImplemented: - Default: false - B: false - C: false - Number of vulnerabilities/severity/layer: - uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad - risk: Failing to convey the number of vulnerabilities by severity and layer - (app/infra) might undermine the effectiveness of product teams. This might - lead to ignorance of findings. - measure: Measurement and communication of vulnerabilities per severity for components - like applications and split it depending on the layer (e.g. app/infra). At - least quarterly. - description: |- - Communication can be performed in a simple way, e.g. text based during the build process. - This activity depends on at least one security testing implementation. - Layers to consider (SCA): - - Cloud provider (if insights are possible) - - Runtimes, e.g. Kubernetes nodes - - Base images and container images - - Application - - Layers to consider SAST/DAST: - - Cloud provider - - Runtime, e.g. Kubernetes - - Base images and container images - - Application - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: [] - implementation: [] - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/0ec92899-a5cb-4649-984b-2fb1d6c784ad - tags: - - vulnerability-mgmt - - metrics - - vmm-measurement - teamsImplemented: - Default: false - B: false - C: false - Patching mean time to resolution via PR: - uuid: 86d490b9-d798-4a5b-a011-ab9688014c46 - risk: Without measuring Mean Time to Resolution (MTTR) related to patching, - it is challenging to identify delays in the patching process. Unaddressed - vulnerabilities can be exploited by attackers, leading to potential security - breaches and data loss. - measure: "Measurement and communication of patching Mean Time to Resolution - (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least - on a quarterly basis.\nThis includes the measurement of the existence of a - properly configured automated pull request (PR) tool (e.g., Dependabot or - Renovate) in a repository. \nIn addition, the measurement of the time from - opening an automated PR to merging it.\n\nAverage time to patch is visualized - per component/project/team." - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 2 - usefulness: 3 - level: 2 - dependsOn: - - Automated PRs for patches - implementation: [] - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/86d490b9-d798-4a5b-a011-ab9688014c46 - tags: - - patching - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Patching mean time to resolution via production: - uuid: 77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f - risk: Without measuring Mean Time to Resolution (MTTR) related to patching, - it is challenging to identify delays in the patching process. Unaddressed - vulnerabilities can be exploited by attackers, leading to potential security - breaches and data loss. - measure: |- - Measurement and communication of the time from the availability of a patch to its deployment in production in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis. - Average time to patch is visualized per component/project/team. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 2 - usefulness: 3 - level: 4 - dependsOn: - - Patching mean time to resolution via PR - - Automated PRs for patches - implementation: [] - references: - samm2: - - I-DM-3-B - iso27001-2017: - - 16.1.4 - iso27001-2022: - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/77ffc53e-9f3d-41f4-92d3-02f04f9b6b0f - tags: - - patching - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - SLA per criticality: - uuid: 51f3fce5-b5c8-4683-8c41-e785fe4f3b5f - risk: "Not communicating how many applications are adhering to SLAs based on - the criticality of vulnerabilities can lead to delayed remediation of \ncritical - security issues, increasing the risk of exploitation and potential damage - to the organization." - measure: "Measurement and communication of how many of the vulnerabilities handling - per severity for components like applications are aligned to SLAs. \nThis - is performed for the hole organization and doesn't need to be broken down - (yet) on team/product/application. \nAt least quarterly." - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - dependsOn: [] - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test - KPI/51f3fce5-b5c8-4683-8c41-e785fe4f3b5f - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false -Test and Verification: - Application tests: - High coverage of security related module and integration tests: - uuid: 67667c97-c33e-4306-a4e5-e7b1d8e10c5a - risk: Vulnerabilities are rising due to code changes in a complex microservice - environment in not important components. - measure: Implementation of security related tests via unit tests and integration - tests. Including the test of libraries, in case the are not tested already. - difficultyOfImplementation: - knowledge: 5 - time: 5 - resources: 3 - usefulness: 3 - level: 5 - implementation: [] - references: - samm2: - - V-ST-3-B - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/67667c97-c33e-4306-a4e5-e7b1d8e10c5a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security integration tests for important components: - uuid: f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - risk: Vulnerabilities are rising due to code changes in a complex microservice - environment. - measure: Implementation of essential security related integration tests. For - example for authentication and authorization. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 2 - level: 3 - references: - samm2: - - V-ST-3-B - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/f57d55f2-dc05-4b34-9d1f-f8ce5bfb0715 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Security unit tests for important components: - uuid: eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 - risk: Vulnerabilities are rising due to code changes. - measure: Usage of unit tests to test important security related features like - authentication and authorization. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 2 - usefulness: 3 - level: 2 - comments: | - The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked. - A sample implementation of unit tests are explained in the video [Shift-Left-Security with the Security Test Pyramid - Andreas Falk](https://www.youtube.com/watch?v=TzFZy3f7d8E) starting with minute 9. - implementation: - - uuid: cc2eec82-f3a7-4ae5-9ccb-3d75352b2e4d - name: JUnit - tags: - - unittest - url: https://junit.org/junit5/ - - uuid: fd56720a-ad4b-487c-b4c3-897a688672c4 - name: Karma - tags: [] - url: https://karma-runner.github.io - references: - samm2: - - V-ST-3-B - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/eb2c7f9d-d0bd-4253-a2ba-cff2ace4a075 - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Smoke Test: - uuid: 73aaae0b-5d68-4953-9fa4-fd25bf665f2a - risk: During a deployment an error might happen which leads to non-availability - of the system, a part of the system or a feature. - measure: Integration tests are performed against the production environment - after each deployment. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 2 - level: 4 - implementation: [] - dependsOn: - - Defined deployment process - references: - samm2: - - V-ST-3-B - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application - tests/73aaae0b-5d68-4953-9fa4-fd25bf665f2a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Consolidation: - Advanced visualization of defects: - uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876 - risk: Correlation of the vulnerabilities of different tools to have an overview - of the the overall security level per component/project/team is not given. - measure: Findings are visualized per component/project/team. - difficultyOfImplementation: - knowledge: 2 - time: 4 - resources: 1 - usefulness: 2 - level: 4 - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - references: - samm2: - - I-DM-3-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/7a82020c-94d1-471c-bbd3-5f7fe7df4876 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Fix based on accessibility: - uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed - risk: Overwhelming volume of security findings from automated testing tools. - This might lead to ignorance of findings. - measure: Implement a simple risk-based prioritization framework for vulnerability - remediation based on accessibility of the applications. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 3 - meta: - implementationGuide: |- - Develop a scoring system for asset accessibility, considering factors like: - - Whether the asset is internet-facing (highly recommended) - - The number of network hops required to reach the asset (recommended) - - Authentication requirements for access (recommended) - dependsOn: - - Treatment of defects with severity high or higher - - Inventory of production components - implementation: ~ - references: - samm2: - - I-DM-3-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/0c10a7f7-f78f-49f2-943d-19fdef248fed - tags: - - vuln-action - - defect-management - teamsImplemented: - Default: false - B: false - C: false - Integration in development process: - uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d - risk: "Not integrating vulnerability handling into the development process may - result in product teams ignoring findings. \n\nSecurity joke: We will gain - 100% false negatives." - measure: Integration of findings into the development process. E.g. adding findings - to the backlog of products teams. - description: |- - Validating Findings by Security Engineers Pros: - - Ensures accuracy and relevance of findings before they reach product teams - - Reduces false positives, saving development teams time and effort - - Might provides a layer of expertise in assessing the severity and impact of vulnerabilities - - Validating Findings by Security Engineers Cons: - - Requires a sufficient number of skilled security engineers, which might be challenging for some organizations - - May slow down the process if security engineers are overloaded with validation tasks - - For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application - - Pushing Findings Directly to Product Teams Pros: - - Accelerates the process by immediately notifying product teams of potential vulnerabilities - - Empowers product teams to take swift action in addressing security issues - Pushing Findings Directly to Product Teams Cons: - - Increases the workload on product teams, potentially leading to frustration - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - dependsOn: [] - implementation: - - uuid: 889444eb-de68-4367-bada-a66f8cb9733a - name: Jira - tags: - - documentation - - issue - - proprietary - url: https://jira.atlassian.com/ - description: Jira is a bug tracking and project management tool developed - by Atlassian, used by development teams for tracking issues, planning sprints, - and managing software releases. It offers features for creating and managing - tasks, assigning them to team members, and monitoring progress through customizable - workflows and dashboards. - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/aaffa73f-59f6-4267-b0ab-732f3d13e90d - tags: - - vulnerability-mgmt - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Integration of vulnerability issues into the development process: - uuid: ce970c9b-da94-41cf-bd78-8c15357b7e8e - risk: To read console output of the build server to search for vulnerabilities - might be difficult. Also, to check a vulnerability management system might - not be a daily task for a developer. - measure: Vulnerabilities are tracked in the teams issue system (e.g. jira). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 2 - level: 3 - implementation: - - uuid: aaad322e-806e-4c51-b78d-6551f7dc376a - name: SAST - tags: [] - description: 'At SAST (Static Application Security Testing): Server-side / - client-side teams can easily be recorded. With microservice architecture - individual microservices can be used usually Teams.' - url: https://d3fend.mitre.org/dao/artifact/d3f:StaticAnalysisTool/ - - uuid: 9d4bd377-11ec-4054-9c9e-9bfb99ac9609 - name: DAST - tags: [] - description: 'At DAST (Dynamic Application Security Testing): vulnerabilities - are classified and can be assigned to server-side and client-side teams.' - url: https://d3fend.mitre.org/dao/artifact/d3f:DynamicAnalysisTool/ - references: - samm2: - - I-DM-2-B - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.4 - - 16.1.5 - - 16.1.6 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.25 - - 5.26 - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/ce970c9b-da94-41cf-bd78-8c15357b7e8e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Reproducible defect tickets: - uuid: 27337442-e4b1-4e87-8dc9-ce86fbb79a39 - risk: Vulnerability descriptions are hard to understand by staff from operations - and development. - measure: Vulnerabilities include the test procedure to give the staff from operations - and development the ability to reproduce vulnerabilities. This enhances the - understanding of vulnerabilities and therefore the fix have a higher quality. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 2 - usefulness: 2 - level: 4 - implementation: [] - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/27337442-e4b1-4e87-8dc9-ce86fbb79a39 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple false positive treatment: - uuid: c1acc8af-312e-4503-a817-a26220c993a0 - risk: As false positive occur during each test, all vulnerabilities might be - ignored. Specially, if tests are automated an run daily. - measure: |- - Findings from security tests must be triaged and outcomes persisted/documented to: - - Prevent re-analysis of known issues in subsequent test runs - - Track accepted risks vs false positives - - Enable consistent decision-making across teams - - At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. - - Samples for false positive handling: - - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) - - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) - - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 4 - level: 1 - implementation: - - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c - name: OWASP Defect Dojo - tags: [] - url: https://github.com/DefectDojo/django-DefectDojo - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - references: - samm2: - - I-DM-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 16.1.6 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/c1acc8af-312e-4503-a817-a26220c993a0 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple visualization of defects: - uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83 - risk: The security level of a component is not visible. Therefore, the motivation - to enhance the security is not give. - measure: Vulnerabilities are simple visualized. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 - name: OWASP Dependency Check - tags: - - OpenSource - - Supply Chain - - vulnerability - url: https://owasp.org/www-project-dependency-check/ - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: ef80cd34-d3ba-4406-a4fa-4cf6f30c2e81 - name: LogParser Jenkins Plugins - tags: [] - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - references: - samm2: - - I-DM-1-B - iso27001-2017: - - 16.1.4 - - 8.2.1 - - 8.2.2 - - 8.2.3 - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/55f4c916-3a34-474d-ad96-9a9f7a4f6a83 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Treatment of all defects: - uuid: b2f77606-3e6c-41e9-b72d-7c0b1d3d581d - risk: Vulnerabilities with severity low are not visible. - measure: All vulnerabilities are added to the quality gate. - difficultyOfImplementation: - knowledge: 3 - time: 4 - resources: 1 - usefulness: 2 - level: 5 - implementation: [] - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 12.6.1 - iso27001-2022: - - 8.8 - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/b2f77606-3e6c-41e9-b72d-7c0b1d3d581d - tags: - - vuln-action - - defect-management - comments: "" - teamsImplemented: - Default: false - B: false - C: false - Treatment of defects per protection requirement: - uuid: 2b7cc923-bdaf-43e3-8fb4-a995b7783969 - risk: "Not defining the protection requirement of applications can lead to wrong - prioritization, delayed remediation of \ncritical security issues, increasing - the risk of exploitation and potential damage to the organization." - measure: "Defining the protection requirement and the corresponding handling - of vulnerabilities per severity for components like applications are aligned - to SLAs. \n This is performed for the hole organization and doesn't need to - be broken down (yet) on team/product/application. \n At least quarterly." - description: |- - The protection requirements for an application should consider: - - Data criticality - - Application accessibility (internal vs. external) - - Regulatory compliance - - Other relevant factors - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - dependsOn: [] - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde - name: Business friendly vulnerability management metrics - url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705 - tags: - - documentation - - vulnerability - - vulnerability management system - - uuid: 7ec30b0e-9681-427a-80ee-ab811d9e476f - name: DefectDojo Client - tags: - - Defectdojo - - statistics - url: https://github.com/SDA-SE/defectdojo-client - description: | - This projects contains the DefectDojo upload client and statistics client. It is for example used within the ClusterImageScanner. - references: - samm2: - - I-DM-3-B - iso27001-2022: - - 5.25 - - 5.12 - - 5.13 - - 5.1 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/2b7cc923-bdaf-43e3-8fb4-a995b7783969 - tags: - - vulnerability-mgmt - - metrics - - vmm-measurements - teamsImplemented: - Default: false - B: false - C: false - Treatment of defects with severity high or higher: - uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 - risk: Vulnerabilities with severity high or higher are not visible. - measure: Vulnerabilities with severity high or higher are added to the quality - gate. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 1 - comments: False positive analysis, specially for static analysis, is time consuming. - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 12.6.1 - iso27001-2022: - - 8.8 - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 - implementation: [] - tags: - - vuln-action - - defect-management - teamsImplemented: - Default: false - B: false - C: false - Treatment of defects with severity middle: - uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594 - risk: Vulnerabilities with severity middle are not visible. - measure: Vulnerabilities with severity middle are added to the quality gate. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - comments: False positive analysis, specially for static analysis, is time consuming. - references: - samm2: - - I-DM-2-B - iso27001-2017: - - 16.1.4 - - 12.6.1 - iso27001-2022: - - 8.8 - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9cac3341-fe83-4079-bef2-bfc4279eb594 - implementation: [] - tags: - - vuln-action - - defect-management - teamsImplemented: - Default: false - B: false - C: false - Usage of a vulnerability management system: - uuid: 85ba5623-84be-4219-8892-808837be582d - risk: Maintenance of false positives in each tool enforces a high workload. - In addition a correlation of the same finding from different tools is not - possible. - measure: Aggregation of vulnerabilities in one tool reduce the workload to handle - them, e.g. mark as false positives. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 2 - usefulness: 2 - dependsOn: - - Exploit likelihood estimation - - Each team has a security champion - - Office Hours - level: 3 - description: "For known vulnerabilities a processes to estimate the exploit - ability of a vulnerability is recommended.\n\nTo implement a security culture - including training, office hours and security champions can help integrating - \nsecurity scanning at scale. Such activities help to understand why a vulnerability - is potentially critical and needs handling." - implementation: - - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb - name: OWASP DefectDojo - tags: - - vulnerability management system - - owasp - url: https://github.com/DefectDojo/django-DefectDojo - description: | - DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 - name: Purify - tags: - - vulnerability management system - url: https://github.com/faloker/purify/ - description: | - The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. - - uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3 - name: SecObserve - tags: - - vulnerability management system - url: https://github.com/MaibornWolff/SecObserve - description: | - The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. - references: - samm2: - - I-DM-1-B - iso27001-2017: - - 12.6.1 - - 16.1.3 - - 16.1.4 - - 16.1.5 - - 16.1.6 - iso27001-2022: - - 8.8 - - 6.8 - - 5.25 - - 5.26 - - 5.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/85ba5623-84be-4219-8892-808837be582d - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Dynamic depth for applications: - Coverage analysis: - uuid: d0ba0be5-c573-405f-b905-b7a8f87a9cc7 - risk: Parts of the service are not still covered by tests. - measure: Check that there are no missing paths in the application with coverage-tools. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 3 - usefulness: 4 - level: 5 - implementation: - - uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366 - name: OWASP Code Pulse - tags: [] - url: https://www.owasp.org/index.php/OWASP_Code_Pulse - - uuid: f011de6e-ab7c-4ec7-af55-03427271ab32 - name: Coverage.py - tags: - - testing - - coverage - url: https://github.com/nedbat/coveragepy - description: | - Code coverage measurement for Python - references: - samm2: - - V-ST-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - - part of periodic review, PDCA - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/d0ba0be5-c573-405f-b905-b7a8f87a9cc7 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of client side dynamic components: - uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e - risk: Parts of the service are not covered during the scan, because JavaScript - is not getting executed. Therefore, the coverage of client-side dynamic components - is limited, leading to potential security risks and undetected vulnerabilities. - measure: Usage of a spider which executes dynamic content like JavaScript, e.g. - via Selenium. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 4 - level: 2 - dependsOn: - - Usage of different roles - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/9711f871-f79d-4573-8d4f-d2c98fd0d18e - implementation: - - uuid: 6583fd5f-4314-4b39-9265-de72f861c8cb - name: Ajax Spider - tags: [] - url: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of hidden endpoints: - uuid: 6a9cb303-0f98-48a8-bdcd-56d41c0012b8 - risk: Hidden endpoints of the service are not getting tracked. - measure: Hidden endpoints are getting detected and included in the vulnerability - scan. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 1 - usefulness: 5 - level: 3 - implementation: - - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b - name: cURL - tags: [] - url: https://curl.se/ - - uuid: 7ce77258-bf65-4e7a-9627-daf765ee1d77 - name: OpenAPI Specifications - tags: [] - url: https://spec.openapis.org/ - - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 - name: OWASP Zap - tags: - - vulnerability - - scanner - url: https://github.com/zaproxy/zaproxy - description: | - The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... - - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b - name: Schemathesis - tags: - - testing - - api - - documentation - url: https://github.com/schemathesis/schemathesis - description: | - Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. - dependsOn: - - Usage of different roles - references: - samm2: - - V-ST-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/6a9cb303-0f98-48a8-bdcd-56d41c0012b8 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of more input vectors: - uuid: 5e0ff85b-ec89-4ef0-96b1-5695fa0025dc - risk: Parts of the service are not covered. For example specially formatted - or coded parameters are not getting detected as parameter (e.g. parameters - in REST-like URLs, parameters in JSON-Format or base64-coded parameters). - measure: Special parameter and special encodings are defined, so that they get - fuzzed by the used vulnerability scanners. - difficultyOfImplementation: - knowledge: 5 - time: 5 - resources: 1 - usefulness: 4 - level: 3 - dependsOn: - - Usage of different roles - references: - samm2: - - V-ST-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/5e0ff85b-ec89-4ef0-96b1-5695fa0025dc - implementation: - - uuid: c9bbecf2-567b-4422-b29a-67b16385f32b - name: Schemathesis - tags: - - testing - - api - - documentation - url: https://github.com/schemathesis/schemathesis - description: | - Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema. - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of sequential operations: - uuid: 845f06ec-148c-4c67-9755-7041911dcca5 - risk: Sequential operations like workflows (e.g. login -> put products in the - basket - measure: Sequential operations are defined and checked by the vulnerability - scanner in the defined order. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 5 - level: 3 - implementation: - - uuid: f2a5f642-43b3-4b2c-97d5-b14d5964981b - name: cURL - tags: [] - url: https://curl.se/ - dependsOn: - - Usage of different roles - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 14.2.8 - - 14.2.3 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/845f06ec-148c-4c67-9755-7041911dcca5 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Coverage of service to service communication: - uuid: 22aab0ef-76ce-4b8c-979c-3699784330db - risk: Service to service communication is not covered. - measure: Service to service communication is dumped and checked. - difficultyOfImplementation: - knowledge: 4 - time: 5 - resources: 2 - usefulness: 3 - level: 5 - dependsOn: - - Simple Scan - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/22aab0ef-76ce-4b8c-979c-3699784330db - implementation: - - uuid: 000b55f9-e6fd-4649-8290-27876a0409e2 - name: Citrus Fresh Integration Testing - tags: - - framework - - testing - url: https://citrusframework.org/ - description: Integration Test framework with focus on messaging applications - and Microservices. - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Simple Scan: - uuid: 07796811-37f9-467c-9ff2-48f346e77ff3 - risk: Deficient security tests are performed. Simple vulnerabilities are not - detected and missing security configurations (e.g. headers) are not set. Fast - feedback is not given. - measure: A simple scan is performed to get a security baseline. In case the - test is done in under 10 minutes, it should be part of the build and deployment - process. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 1 - level: 2 - dependsOn: - - Defined build process - implementation: - - uuid: 42a87524-ec35-4de2-a30c-1a7c7d045801 - name: OWASP Zap - tags: - - vulnerability - - scanner - url: https://github.com/zaproxy/zaproxy - description: | - The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by a dedicated international team of ... - - uuid: 83ae1e92-5eb9-4467-b3d3-fd2f96e6ab63 - name: Arachni - url: https://github.com/Arachni/arachni - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/07796811-37f9-467c-9ff2-48f346e77ff3 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of different roles: - uuid: 65a2d7d9-5441-46bf-a4e3-f76919857750 - risk: Parts of the service are not covered during the scan, because a login - is not performed. - measure: Integration of authentication with all roles used in the service. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 2 - level: 2 - dependsOn: - - Simple Scan - references: - samm2: - - V-ST-2-A - iso27001-2017: - - not explicitly covered by ISO 27001 - too specific - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/65a2d7d9-5441-46bf-a4e3-f76919857750 - implementation: - - uuid: 7eb37566-02d5-4fff-8dcf-8fcd1c8197f3 - name: Zest - url: https://www.zaproxy.org/docs/desktop/addons/zest/ - tags: - - zap - description: | - Zest is an experimental specialized scripting language (also known as a domain-specific language) originally developed by the Mozilla security team and is intended to be used in web oriented security tools. - assessment: For REST APIs, multiple OAuth2 scopes are used. - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Usage of multiple scanners: - uuid: 5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea - risk: Each vulnerability scanner has different opportunities. By using just - one scanner, some vulnerabilities might not be found. - measure: Usage of multiple spiders and scanner enhance the coverage and the - vulnerabilities. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 1 - level: 4 - dependsOn: - - Usage of different roles - implementation: - - uuid: f220b299-0917-4750-96c5-d81cd402b4df - name: OWASP secureCodeBox - tags: - - vulnerability - - scanner-orchestration - url: https://github.com/secureCodeBox/secureCodeBox - description: | - secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for applications/5b5a1eb2-113f-41fb-a3d6-06af4fdc9cea - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Dynamic depth for infrastructure: - Load tests: - uuid: ab5725aa-4d53-47b9-96df-c14b3fa93bcd - risk: As it is unknown how many requests the systems and applications can serve, - due to an unexpected load the availability is disturbed. - measure: Load test against the production system or a production near system - is performed. - difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 5 - usefulness: 3 - level: 4 - implementation: [] - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 12.1.3 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.6 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/ab5725aa-4d53-47b9-96df-c14b3fa93bcd - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for exposed services: - uuid: a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 - risk: Standard network segmentation and firewalling has not been performed, - leading to world open cluster management ports. - measure: With the help of tools the network configuration of unintentional exposed - cluster(s) are tested. To identify clusters, all subdomains might need to - be identified with a tool like OWASP Amass to perform port scans based o the - result. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 2 - dependsOn: - - Isolated networks for virtual environments - usefulness: 2 - level: 2 - implementation: - - uuid: 08111dc3-bdc4-47d8-8f2e-10bb50a86882 - name: nmap - tags: [] - url: https://nmap.org/ - - uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a - name: OWASP Amass - tags: [] - url: https://github.com/OWASP/Amass - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 13.1.3 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.22 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/a6c4cefb-a0b7-4787-8cc7-a0f96b4b00d8 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for unauthorized installation: - uuid: dccf1949-b9a8-4ce8-b992-6a4a7f3a623a - risk: Unapproved components are used. - measure: Components must be whitelisted. Regular scans on the docker infrastructure - (e.g. cluster) need to be performed, to verify that only standardized base - images are used. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 349cf64c-abea-40bb-bd07-9c98ce648fa4 - name: 'Example: All docker images used by teams need to be based on standard - images.' - tags: [] - comments: By preventing teams from trying out new components, innovation might - be hampered - references: - samm2: [] - iso27001-2017: - - 12.5.1 - - 12.6.1 - iso27001-2022: - - 8.19 - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/dccf1949-b9a8-4ce8-b992-6a4a7f3a623a - dependsOn: - - Evaluation of the trust of used components - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for unused Resources: - uuid: 6532c1fe-9d23-4228-8722-558ddabca7d4 - risk: Unused resources, specially secrets, might be still valid, but are exposing - information. As an attacker, I compromise a system, gather credentials and - try to use them. - measure: Test for unused resources helps to identify unused resources. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 2 - level: 5 - implementation: - - uuid: 8fea20ad-e332-4aa8-b1f1-aa9deb635dc1 - name: K8sPurger - tags: - - vulnerability - - scanner - - dast - - infrastructure - url: https://github.com/yogeshkk/K8sPurger - description: | - Hunt Unused Resources In Kubernetes. - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 13.1.3 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.22 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/6532c1fe-9d23-4228-8722-558ddabca7d4 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test network segmentation: - uuid: 6d2c3ac6-8afc-4af6-a5e9-6188341aca01 - risk: Wrong or no network segmentation of pods makes it easier for an attacker - to access a database and extract or modify data. - measure: Cluster internal test needs to be performed. Integration of fine granulated - network segmentation (also between pods in the same namespace). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: fffa6fb9-1fae-4852-88dc-c7086961330c - name: netassert - tags: [] - url: https://github.com/controlplaneio/netassert - dependsOn: - - Isolated networks for virtual environments - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 13.1.3 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - 8.22 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/6d2c3ac6-8afc-4af6-a5e9-6188341aca01 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test of the configuration of cloud environments: - uuid: 7bb70764-9392-4462-935d-e55b2e148199 - risk: Standard hardening practices for cloud environments are not performed - leading to vulnerabilities. - measure: With the help of tools the configuration of virtual environments are - tested. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: - - uuid: 893d9f37-2142-4490-996c-e43b55064d3d - name: kubescape - url: https://github.com/armosec/kubescape - tags: - - kubernetes - - vulnerability - - misconfiguration - description: _Testing if Kubernetes is deployed securely as defined in Kubernetes - Hardening Guidance by to NSA and CISA_ - - uuid: 2af7204c-a25c-4625-9775-889978386407 - name: kube-hunter - tags: [] - url: https://github.com/aquasecurity/kube-hunter - - uuid: d45fba7d-f176-4f06-a33c-434b17ec8a8f - name: openVAS - tags: [] - url: https://www.openvas.org/ - references: - samm2: [] - iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 12.6.1 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 8.8 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/7bb70764-9392-4462-935d-e55b2e148199 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Weak password test: - uuid: 61e10f9c-e126-4ffa-af12-fdbe0d0a831f - risk: Weak passwords in components like applications or systems, specially for - privileged accounts, lead to take over of that account. - measure: Automatic brute force attacks are performed. Specially the usage of - standard accounts like 'admin' and employee user-ids is recommended. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 1 - level: 3 - implementation: - - uuid: b99c9d52-dd1a-4aef-8699-65173cf978ce - name: HTC Hydra - tags: - - password - url: https://www.htc-cs.com/en/products/htc-hydra/ - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 9.4.3 - iso27001-2022: - - 5.17 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Dynamic - depth for infrastructure/61e10f9c-e126-4ffa-af12-fdbe0d0a831f - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static depth for applications: - API design validation: - uuid: 017d9e26-42b5-49a4-b945-9f59b308fb99 - risk: Creation of insecure or non-compliant API. - measure: | - Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP - and validate the specification using specific tools. - Checks should be integrated in IDEs and CI/CD pipelines. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: 261f243e-f89c-4169-b076-b22a03ec00be - name: Spectral - tags: - - linting - - api - - documentation - url: https://github.com/stoplightio/spectral - description: | - Spectral is a flexible JSON/YAML linter built with extensibility in mind. - It uses JSON/YAML path rules to describe the problems you want to find. - - uuid: d2c9403d-9da2-4518-b33f-8b74b9c5ca3f - name: API OAS Checker - tags: - - linting - - api - - documentation - url: https://github.com/italia/api-oas-checker - description: | - A tool to check OpenAPI specifications using a comprehensive ruleset based - on API best practices. - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.25 - - 8.27 - - 8.28 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 - dependsOn: - - Inventory of production components - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Dead code elimination: - uuid: a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d - risk: Dead code increases the attack surface (use of hard coded credentials - and variables, sensitive information) - measure: Collection of unused code and then manual removal of unused code. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - dependsOn: - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/a8d7d1f1-fc24-49ab-8fb6-f3a03da9c61d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Exclusion of source code duplicates: - uuid: d17dbff0-1f10-492a-b4c7-17bb59a0a711 - risk: Duplicates in source code might influence the stability of the application. - measure: Automatic Detection and manual removal of duplicates in source code. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - dependsOn: - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d17dbff0-1f10-492a-b4c7-17bb59a0a711 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Exploit likelihood estimation: - uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad - risk: Without proper prioritization, organizations may waste time and effort - on low-risk vulnerabilities while neglecting critical ones. - measure: Estimate the likelihood of exploitation by using data (CISA KEV) from - the past or prediction models (EPSS). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 4 - level: 3 - dependsOn: - - Software Composition Analysis (server side) - implementation: - - uuid: aa507341-9531-42cd-95cf-d7b51af47086 - name: Known Exploited Vulnerabilities - tags: - - vulnerability - url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - description: A catalog of vulnerabilities that have been exploited. - - uuid: e39afc58-8195-4600-92c6-11922e3a141b - name: Exploit Prediction Scoring System - tags: - - vulnerability - url: https://www.first.org/epss/ - description: Estimates the likelihood that a software vulnerability will be - exploited. - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Local development security checks performed: - uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b - risk: Creating and developing code contains code smells and quality issues. - measure: | - Integration of quality and linting plugins with interactive development environment (IDEs). - Implement pre-commit checks to prevent secrets & other security issues being commit to source code. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 4 - level: 3 - implementation: - - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 - name: Fortify Extension for Visual Studio Code - url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code - tags: - - ide - - sast - - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 - name: Setting Up the Visual Studio Code Extension Plugin - url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin - tags: - - ide - - sast - - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb - name: HCL AppScan CodeSweep - url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep - tags: - - ide - - sast - - uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82 - name: DevSecOps control Pre-commit - url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop - tags: - - pre-commit - - uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb - name: Building your DevSecOps pipeline 5 essential activities - url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/ - tags: - - pre-commit - references: - samm2: - - V-ST-1-A - iso27001-2017: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 13.1.3 - iso27001-2022: - - Hardening is not explicitly covered by ISO 27001 - too specific - - 8.22 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/6e180abc-7c98-4265-b4e9-852cb91b067b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Software Composition Analysis (client side): - uuid: 07fe8c4f-ae33-4409-b1b2-cf64cfccea86 - risk: Client side components might have vulnerabilities. - measure: Tests for known vulnerabilities in components via Software Composition - Analysis of the frontend are performed. - difficultyOfImplementation: - knowledge: 1 - time: 2 - resources: 1 - usefulness: 2 - level: 3 - dependsOn: - - Defined build process - - Inventory of production components - - Exploit likelihood estimation - implementation: - - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 - name: retire.js - tags: [] - url: https://github.com/RetireJS/retire.js/ - - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 - name: npm audit - tags: [] - url: https://docs.npmjs.com/cli/audit - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 - name: Dependabot - tags: - - dependency - - dependency-management - - scm - url: https://github.com/dependabot/dependabot-core - description: | - Dependabot creates pull requests to keep your dependencies secure and up-to-date. - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/07fe8c4f-ae33-4409-b1b2-cf64cfccea86 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Software Composition Analysis (server side): - uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe - description: Use a tool like trivy and concentrate on application related vulnerabilities. - At this stage, ignore vulnerabilities in container base images used in the - service. - risk: Server side components might have vulnerabilities. - measure: Tests for known vulnerabilities in server side components (e.g. backend/middleware) - are performed. - difficultyOfImplementation: - knowledge: 1 - time: 3 - resources: 1 - usefulness: 5 - level: 2 - dependsOn: - - Defined build process - - Inventory of production components - implementation: - - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 - name: OWASP Dependency Check - tags: - - OpenSource - - Supply Chain - - vulnerability - url: https://owasp.org/www-project-dependency-check/ - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 - name: retire.js - tags: [] - url: https://github.com/RetireJS/retire.js/ - - uuid: 7c26484a-763c-437d-b953-d482a4fd7cf3 - name: npm audit - tags: [] - url: https://docs.npmjs.com/cli/audit - - uuid: 5c0e817b-204e-4301-a315-2f7cc180c240 - name: Dependabot - tags: - - dependency - - dependency-management - - scm - url: https://github.com/dependabot/dependabot-core - description: | - Dependabot creates pull requests to keep your dependencies secure and up-to-date. - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: https://github.com/aquasecurity/trivy - tags: [] - url: https://github.com/aquasecurity/trivy - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/d918cd44-a972-43e9-a974-eff3f4a5dcfe - tags: - - vmm-testing - teamsImplemented: - Default: false - B: false - C: false - Static analysis for all components/libraries: - uuid: f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 - risk: Used components like libraries and legacy applications might have vulnerabilities - measure: Usage of a static analysis for all used components. - difficultyOfImplementation: - knowledge: 2 - time: 4 - resources: 2 - usefulness: 3 - level: 5 - dependsOn: - - Static analysis for important client side components - - Static analysis for important server side components - - Inventory of production components - implementation: [] - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/f4ff841d-3b2a-45d9-853e-5ec7ecbcb054 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for all self written components: - uuid: ee68331f-9b1d-4f61-844b-b2ea04753a84 - risk: Parts in the source code of the frontend or middleware have vulnerabilities. - measure: Usage of static analysis tools for all parts of the middleware and - frontend. Static analysis uses for example string matching algorithms and/or - dataflow analysis. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 4 - implementation: - - uuid: 6a0948a7-4781-4858-9766-f4303971b28b - name: eslint - tags: [] - url: https://eslint.org/ - - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 - name: FindSecurityBugs - tags: [] - - uuid: cccc2882-62ab-4175-afa1-58471017e8ed - name: jsprime - tags: [] - url: https://github.com/dpnishant/jsprime - - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 - name: Fortify Extension for Visual Studio Code - url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code - tags: - - ide - - sast - - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 - name: Setting Up the Visual Studio Code Extension Plugin - url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin - tags: - - ide - - sast - - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb - name: HCL AppScan CodeSweep - url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep - tags: - - ide - - sast - dependsOn: - - Static analysis for important client side components - - Static analysis for important server side components - - Inventory of production components - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/ee68331f-9b1d-4f61-844b-b2ea04753a84 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for important client side components: - uuid: e237176b-bec5-447d-a926-e37d6dd60e4b - risk: Important parts in the source code of the frontend have vulnerabilities. - measure: Usage of static analysis tools for important parts of the frontend - are used. Static analysis uses for example string matching algorithms and/or - dataflow analysis. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 6a0948a7-4781-4858-9766-f4303971b28b - name: eslint - tags: [] - url: https://eslint.org/ - - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 - name: FindSecurityBugs - tags: [] - - uuid: cccc2882-62ab-4175-afa1-58471017e8ed - name: jsprime - tags: [] - url: https://github.com/dpnishant/jsprime - - uuid: 3a8ba0ea-37dc-4124-983b-bbf9b4443d75 - name: '[bdd-mobile-security' - tags: [] - url: https://github.com/ing-bank/bdd-mobile-security-automation-framework - description: '[bdd-mobile-security-automation-framework](https://github.com/ing-bank/bdd-mobile-security-automation-framework)' - - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 - name: Fortify Extension for Visual Studio Code - url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code - tags: - - ide - - sast - - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 - name: Setting Up the Visual Studio Code Extension Plugin - url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin - tags: - - ide - - sast - - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb - name: HCL AppScan CodeSweep - url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep - tags: - - ide - - sast - dependsOn: - - Defined build process - - Inventory of production components - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/e237176b-bec5-447d-a926-e37d6dd60e4b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static analysis for important server side components: - uuid: 6c05c837-8c99-46e2-828b-7c903e27dba4 - risk: Important parts in the source code of the middleware have vulnerabilities. - measure: Usage of static analysis tools for important parts of the middleware - are used. Static analysis uses for example string matching algorithms and/or - dataflow analysis. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 3 - implementation: - - uuid: 6a0948a7-4781-4858-9766-f4303971b28b - name: eslint - tags: [] - url: https://eslint.org/ - - uuid: f911d2b4-3e0c-424c-acf9-3bd363ef5078 - name: FindSecurityBugs - tags: [] - - uuid: cccc2882-62ab-4175-afa1-58471017e8ed - name: jsprime - tags: [] - url: https://github.com/dpnishant/jsprime - - uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398 - name: Fortify Extension for Visual Studio Code - url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code - tags: - - ide - - sast - - uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005 - name: Setting Up the Visual Studio Code Extension Plugin - url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin - tags: - - ide - - sast - - uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb - name: HCL AppScan CodeSweep - url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep - tags: - - ide - - sast - dependsOn: - - Defined build process - - Inventory of production components - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/6c05c837-8c99-46e2-828b-7c903e27dba4 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Stylistic analysis: - uuid: efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 - risk: Unclear or obfuscated code might have unexpected behavior. - measure: Analysis of compliance to style guides of the source code ensures that - source code formatting rules are met (e.g. indentation, loops, ...). - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 5 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - - uuid: 0b7ec352-0c36-4de1-8912-617fc6c608fe - name: How to enforce a consistent coding style in your projects - url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm - tags: - - ide - - linting - - uuid: aa5ded61-5380-4da6-9474-afc36a397682 - name: In-Depth Linting of Your TypeScript While Coding - url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding - tags: - - ide - - linting - - uuid: 94a7a85e-8064-46b4-929a-9e03fa292a9f - name: Super-Linter - tags: - - linting - - scm - url: https://github.com/github/super-linter - description: | - Lint code bases to catch common errors and enforce code style - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/efa52cc8-6c5c-4ba2-a3d2-7164b0402f34 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for Patch Deployment Time: - uuid: 0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 - risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities - in production artifacts. - measure: | - Test of the Patch Deployment Time. - This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 3 - level: 3 - implementation: - - uuid: 00702aca-04d9-49ca-90d0-c32c199b26cb - name: PMD - tags: [] - dependsOn: - - Automated PRs for patches - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/0cb2c39a-3cec-4353-b3ab-8d70daf4c9d2 - comments: "" - meta: - implementationGuide: Self implementation. This activity is not repeated in - the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure - as well. - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Test for Time to Patch: - uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f - risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities - in production artifacts. - measure: |- - Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) - This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 - name: dependabot - tags: - - auto-pr - - patching - url: https://dependabot.com/ - - uuid: 8228266e-e04f-40ba-94c8-bfadc5310920 - name: renovate - tags: - - auto-pr - - patching - url: https://github.com/renovatebot/renovate - dependsOn: - - Automated PRs for patches - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/13af1227-3dd1-4d4f-a9e9-53deb793c18f - comments: "" - meta: - implementationGuide: Usage of a version control platform API (e.g. github - API) can be used to fetch the information. Consider that `Measure libyears` - might be an alternative to this activity. - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Test libyear: - uuid: 87b54313-fafd-4860-930f-5ef132b3e4ad - risk: Vulnerabilities in running artifacts stay for long and might get exploited. - measure: Test `libyear`, which provides a good insight how good patch management - is. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 3 - level: 2 - implementation: - - uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 - name: libyear - tags: - - patching - - build - url: https://libyear.com/ - description: A simple measure of software dependency freshness. It is a single - number telling you how up-to-date your dependencies are. - dependsOn: - - Defined build process - references: - samm2: - - V-ST-2-A - iso27001-2017: - - Not explicitly covered by ISO 27001 - too specific - - 14.2.1 - - 14.2.5 - iso27001-2022: - - Not explicitly covered by ISO 27001 - too specific - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/87b54313-fafd-4860-930f-5ef132b3e4ad - comments: "" - meta: - implementationGuide: | - `libyear` can be integrated into the build process and flag or even better break the build in case the defined threshold (e.g. 30 years) is reached. - An alternative approach is to determine `libyear` based on deployed artifacts (which requires more effort in implementation). - tags: - - patching - teamsImplemented: - Default: false - B: false - C: false - Usage of multiple analyzers: - uuid: 297be001-8d94-41ee-ab29-207020d423c0 - risk: Each vulnerability analyzer has different opportunities. By using just - one analyzer, some vulnerabilities might not be found. - measure: Usage of multiple static tools to find more vulnerabilities. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 1 - level: 4 - dependsOn: - - Software Composition Analysis (server side) - - Software Composition Analysis (client side) - - Static analysis for all self written components - implementation: [] - references: - samm2: - - V-ST-3-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for applications/297be001-8d94-41ee-ab29-207020d423c0 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Static depth for infrastructure: - Analyze logs: - uuid: b217c8bb-5d61-4b41-a675-1083993f83b1 - risk: Not aware of attacks happening. - measure: Check logs for keywords. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - uuid: 1adf1ac0-8572-407b-a358-3976d9a225e2 - name: SigmaHQ - tags: [] - url: https://github.com/SigmaHQ/sigma - references: - samm2: [] - iso27001-2017: - - ISO 27001:2017 mapping is missing - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/b217c8bb-5d61-4b41-a675-1083993f83b1 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Correlate known vulnerabilities in infrastructure with new image versions: - uuid: 7de0ae33-6538-45cd-8222-a1475647ba58 - risk: TODO. - measure: TODO - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 4 - usefulness: 1 - level: 4 - dependsOn: - - Usage of a maximum lifetime for images - implementation: - - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc - name: Anchore.io - tags: [] - url: https://anchore.com/ - - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 - name: Clair - tags: [] - url: https://github.com/quay/clair - - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 - name: OpenSCAP - tags: [] - url: https://www.open-scap.org/ - - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 - name: Vuls - tags: [] - url: https://github.com/future-architect/vuls - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - iso27001-2022: - - 8.8 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/7de0ae33-6538-45cd-8222-a1475647ba58 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Software Composition Analysis: - uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad - risk: Known vulnerabilities in infrastructure components like container images - might get exploited. - measure: Check for known vulnerabilities - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 4 - level: 4 - description: Subscribing to Github projects and reading release notes might - help. Software Composition Analysis for infrastructure might help, but is - often too fine-granular. - implementation: - - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: https://github.com/aquasecurity/trivy - tags: [] - url: https://github.com/aquasecurity/trivy - - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 - name: Registries like quay - tags: [] - description: Registries like quay, dockerhub provide (commercial) offerings, - often not suitable for distroless images - - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 - name: Dependency-Track is an intelligent Component Analysis platform that - allows organizations to identify and reduce risk in the software supply - chain. Dependency-Track takes a unique and highly beneficial approach by - leveraging the capabilities of Software Bill of Materials (SBOM). - url: https://github.com/DependencyTrack/dependency-track - tags: - - sca - - inventory - - OpenSource - - Supply Chain - - vulnerability - - inventory - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - iso27001-2022: - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/26e1c6d5-5632-4ec7-80d2-e564b98732ad - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test cluster deployment resources: - uuid: 621fb6a5-5c0a-4408-826a-068868bb031b - risk: The deployment configuration (e.g. kubernetes deployment resources) might - contain unsecured configurations. - measure: Test the deployment configuration for virtualized environments for - unsecured configurations. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 3 - level: 2 - implementation: - - uuid: 1e58f8d2-61e2-45bb-a17c-51516d0cc9ba - name: kubesec - tags: [] - url: https://kubesec.io - references: - samm2: - - V-ST-1-A - iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 12.6.1 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 8.8 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/621fb6a5-5c0a-4408-826a-068868bb031b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for image lifetime: - uuid: ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b - risk: Old container images in production indicate that patch management is not - performed and therefore vulnerabilities might exists. - measure: Check the image age of containers in production. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 1 - usefulness: 2 - level: 2 - implementation: - - url: https://github.com/SDA-SE/clusterscanner - uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f - name: ClusterScanner - tags: - - docker - - image - - container - - vulnerability - - misconfiguration - - security-tools - - scanning - description: Discover vulnerabilities and container image misconfiguration - in production environments. - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 12.6.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/ddfe7c3c-b7a4-4cba-9041-b044d4a34e5b - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for malware: - uuid: 837f8f90-adc2-4e6b-9ebb-60c2ee29494d - risk: Third party might include malware. Ether due to the maintainer (e.g. - typo squatting of an image name and using the wrong image) or by an attacker - on behalf of the maintainer with stolen credentials. - measure: Check for malware in components (e.g. container images, VM baseline - images, libraries). - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 2 - usefulness: 3 - level: 3 - implementation: - - url: https://github.com/SDA-SE/clusterscanner - uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f - name: ClusterScanner - tags: - - docker - - image - - container - - vulnerability - - misconfiguration - - security-tools - - scanning - description: Discover vulnerabilities and container image misconfiguration - in production environments. - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.2.1 - iso27001-2022: - - 8.7 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/837f8f90-adc2-4e6b-9ebb-60c2ee29494d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for new image version: - uuid: cb6321aa-0fbf-4996-9e08-05ab26ef4c1e - risk: When a new version of an image is available, it might fix security vulnerabilities. - measure: Check for new images of containers in production. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 1 - usefulness: 2 - level: 3 - implementation: [] - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.5 - - 12.2.1 - iso27001-2022: - - 8.8 - - 8.7 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/cb6321aa-0fbf-4996-9e08-05ab26ef4c1e - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test for stored secrets: - uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c - risk: Stored secrets in git history, in container images or directly in code - shouldn't exists because they might be exposed to unauthorized parties. - measure: Test for secrets in code, container images and history - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 2 - level: 1 - implementation: - - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 - name: truffleHog - tags: [] - url: https://github.com/dxa4481/truffleHog - - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 - name: go-pillage-registries - tags: [] - url: https://github.com/nccgroup/go-pillage-registries - references: - samm2: - - V-ST-1-A - iso27001-2017: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 9.4.3 - - 10.1.2 - iso27001-2022: - - vcs usage is not explicitly covered by ISO 27001 - too specific - - 5.17 - - 8.24 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/c6e3c812-56e2-41b0-ae01-b7afc41a004c - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test of infrastructure components for known vulnerabilities: - uuid: 13367d8f-e37f-4197-a610-9ffca4fde261 - risk: Infrastructure components might have vulnerabilities. - measure: Test for known vulnerabilities in infrastructure components. Often, - the only way to respond to known vulnerabilities in operating system packages - is to accept the risk and wait for a patch. As the patch needs to be applied - fast when it is available, this activity depends on 'Usage of a maximum life - for images'. - difficultyOfImplementation: - knowledge: 2 - time: 5 - resources: 2 - usefulness: 1 - level: 4 - dependsOn: - - Usage of a maximum lifetime for images - implementation: - - uuid: fab2765d-8d96-4fc6-af96-dc9304ca41dc - name: Anchore.io - tags: [] - url: https://anchore.com/ - - uuid: f10f5423-4dff-4bb7-99c8-9ce214645071 - name: Clair - tags: [] - url: https://github.com/quay/clair - - uuid: d0c6b3a0-b073-44d7-a187-c4ad8eaa6531 - name: OpenSCAP - tags: [] - url: https://www.open-scap.org/ - - uuid: 04261564-2fcf-4b73-8847-83b0d855e1c5 - name: Vuls - tags: [] - url: https://github.com/future-architect/vuls - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - iso27001-2022: - - 8.8 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/13367d8f-e37f-4197-a610-9ffca4fde261 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test of virtualized environments: - uuid: 58825d22-1ce6-4748-af81-0ec9956e4129 - risk: Virtualized environments (e.g. via Container Images) might contains - unsecure configurations. - measure: Test virtualized environments for unsecured configurations. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 3 - level: 2 - implementation: - - uuid: 73419fb5-b13d-4242-83ec-86f36c7d73d5 - name: Dive to inspect a container images - tags: [] - url: https://github.com/wagoodman/dive - - url: https://github.com/SDA-SE/clusterscanner - uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f - name: ClusterScanner - tags: - - docker - - image - - container - - vulnerability - - misconfiguration - - security-tools - - scanning - description: Discover vulnerabilities and container image misconfiguration - in production environments. - references: - samm2: - - V-ST-1-A - iso27001-2017: - - ISO 27001:2017 mapping is missing - iso27001-2022: - - ISO 27001:2022 mapping is missing - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/58825d22-1ce6-4748-af81-0ec9956e4129 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test the cloud configuration: - uuid: 46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc - risk: Standard hardening practices for cloud environments are not performed - leading to vulnerabilities. - measure: With the help of tools, the configuration of virtual environments are - tested. - difficultyOfImplementation: - knowledge: 2 - time: 2 - resources: 1 - usefulness: 4 - level: 2 - implementation: - - uuid: 8aeefd29-6220-45bf-aead-83eba2e9d055 - name: kube-bench - tags: [] - url: https://github.com/aquasecurity/kube-bench - references: - samm2: - - V-ST-1-A - iso27001-2017: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 12.6.1 - - 14.2.3 - - 14.2.8 - iso27001-2022: - - System hardening is not explicitly covered by ISO 27001 - too specific - - 8.8 - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/46d6a2a8-f9dc-4c15-9fc8-1723cfecbddc - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test the definition of virtualized environments: - uuid: 8fc3de67-7b8d-420b-8d24-f35928cfed6e - risk: The definition of virtualized environments (e.g. via Dockerfile) - might contain unsecure configurations. - measure: Test the definition of virtualized environments for unsecured configurations. - difficultyOfImplementation: - knowledge: 2 - time: 1 - resources: 2 - usefulness: 3 - level: 2 - meta: - implementationGuide: For containier (images), test that the images are following - best practices like distroless or non-root. - implementation: - - uuid: 94d993ad-ef6e-4d9f-b7a8-27ea68dc3005 - name: Dockerfile with hadolint - tags: [] - url: https://github.com/hadolint/hadolint - - uuid: 95b717cd-5ad3-40b5-993b-13a63c382b1b - name: Deployment with kube-score - tags: [] - url: https://github.com/zegl/kube-score - - uuid: eba2685d-2d25-4961-8e4e-2957e7c07c30 - name: dockerfilelint - tags: - - sast - - docker - - dockerfile - url: https://github.com/replicatedhq/dockerfilelint - description: dockerfilelint is an node module that analyzes a Dockerfile and - looks for common traps, mistakes and helps enforce best practices. - references: - samm2: - - V-ST-1-A - iso27001-2017: - - System hardening, virtual environments are not explicitly covered by ISO - 27001 - too specific - - 12.6.1 - - 14.2.3 - - 14.2.8 - - 14.2.1 - iso27001-2022: - - System hardening, virtual environments are not explicitly covered by ISO - 27001 - too specific - - 8.8 - - 8.32 - - 8.29 - - 8.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static - depth for infrastructure/8fc3de67-7b8d-420b-8d24-f35928cfed6e - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Test-Intensity: - Creation and application of a testing concept: - uuid: 79ef8103-e1ed-4055-8df8-fd2b2015bebe - risk: Scans might use a too small or too high test intensity. - measure: A testing concept considering the amount of time per scan/intensity - is created and applied. A dynamic analysis needs more time than a static analysis. - The dynamic scan, depending on the test intensity might be performed on every - commit, every night, every week or once in a month. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 3 - usefulness: 2 - level: 4 - implementation: [] - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 14.2.2 - - 14.2.3 - - 14.2.1 - - 14.2.5 - - 12.6.1 - iso27001-2022: - - 8.25 - - 8.32 - - 8.27 - - 8.8 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/79ef8103-e1ed-4055-8df8-fd2b2015bebe - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Deactivating of unneeded tests: - uuid: 1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 - risk: As tools cover a wide range of different vulnerability tests, they might - not match the used components. Therefore, they need more time and resources - as they need and the feedback loops takes too much time. - measure: Unneeded tests are deactivated. For example in case the service is - using a Mongo database and no mysql database, the dynamic scan doesn't need - to test for sql injections. - difficultyOfImplementation: - knowledge: 2 - time: 3 - resources: 1 - usefulness: 1 - level: 3 - implementation: [] - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/1bd78cdd-ef11-4bb5-9b58-5af2e25fe1c5 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Default settings for intensity: - uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d - risk: Time pressure and ignorance might lead to false predictions for the test - intensity. - measure: The intensity of the used tools are not modified to save time. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 1 - level: 1 - implementation: [] - references: - samm2: - - V-ST-1-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/ab0a4b51-3b18-43f1-a6fc-a98e4b28453d - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - High test intensity: - uuid: 2ebfc421-8c76-415c-a3b0-fa518915bd10 - risk: A too small intensity or a too high confidence might lead to not visible - vulnerabilities. - measure: A deep scan with high test intensity and a low confidence threshold - is performed. - difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 5 - usefulness: 3 - level: 3 - implementation: [] - references: - samm2: - - V-ST-2-A - iso27001-2017: - - 12.6.1 - - 14.2.1 - - 14.2.5 - iso27001-2022: - - 8.8 - - 8.25 - - 8.27 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/2ebfc421-8c76-415c-a3b0-fa518915bd10 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Regular automated tests: - uuid: 598897a2-358e-441f-984c-e12ec4f6110a - risk: After pushing source code to the version control system, any delay in - receiving feedback on defects makes them harder for the developer to remediate. - measure: On each push and/or at given intervals automatic security tests are - performed. - difficultyOfImplementation: - knowledge: 1 - time: 1 - resources: 1 - usefulness: 2 - level: 2 - implementation: [] - references: - samm2: - - I-SB-3-A - iso27001-2017: - - 14.2.3 - - 14.2.8 - - 14.2.9 - iso27001-2022: - - 8.32 - - 8.29 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Test-Intensity/598897a2-358e-441f-984c-e12ec4f6110a - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false -... diff --git a/src/assets/YAML/meta.yaml b/src/assets/YAML/meta.yaml index 46622595f..a6421b527 100644 --- a/src/assets/YAML/meta.yaml +++ b/src/assets/YAML/meta.yaml @@ -1,5 +1,5 @@ --- -teamProgressFile: 'team-progress.yaml' +teamProgressFile: 'team-progress-default.yaml' progressDefinition: Backlog: 0% # Planned: 10% @@ -20,7 +20,6 @@ activityFiles: # - generated/generated.yaml - default/activities.yaml # - custom/custom-activities.yaml # For customizing your own activities - # - custom/test-ignore-activities.yaml # diff --git a/src/assets/YAML/team-progress-2.yaml b/src/assets/YAML/team-progress-2.yaml deleted file mode 100644 index 21b9fd833..000000000 --- a/src/assets/YAML/team-progress-2.yaml +++ /dev/null @@ -1,16 +0,0 @@ -progress: - a340f46b-6360-4cb8-847b-a0d3483d09d3: # Building and testing of artifacts in virtual environments - A: - Planned: 2025-01-02 - Started: 2025-01-01 - Implemented: 2025-03-02 - B: - Planned: 2025-02-02 - Started: 2025-04-02 - new-team: - Planned: 2025-02-02 - new-uuid: - A: - Planned: 2025-01-02 - Started: 2025-01-01 - Implemented: 2025-03-02 diff --git a/src/assets/YAML/teams.yaml b/src/assets/YAML/teams.yaml deleted file mode 100644 index a5de4cdbb..000000000 --- a/src/assets/YAML/teams.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# -# Teams -# -teams: ['B', 'C', 'My page', 'My app', 'Invoice', 'Admin app'] -teamGroups: - GroupC: ['B', 'C'] - Customer: ['My page', 'My app'] - Internal: ['Invoice', 'Admin app'] - Mobile: ['My app', 'Admin app'] - diff --git a/src/assets/seek.html b/src/assets/seek.html deleted file mode 100644 index 563bd5168..000000000 --- a/src/assets/seek.html +++ /dev/null @@ -1,140 +0,0 @@ - - - - - SEEK - - - - - - - - - - - - - - - get ready... - - - -
- - - - From 77881425b6201945c0f268cddef6dfce41e99dae Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 21 Sep 2025 19:02:17 +0200 Subject: [PATCH 04/23] Install: Remove empty lines --- INSTALL.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index dd0d916f4..43cef6039 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -43,7 +43,6 @@ docker run -d -p 80:8080 wurstbrot/dsomm:latest ``` - ## Any web server - Angular build Since DSOMM is a frontend only application, any web server can host DSOMM. - Clone the DSOMM repo @@ -58,13 +57,6 @@ ng build ``` The files that were created in the subfolder `dist` - - - - - - - ## Teams and Groups To customize these teams, you can create your own [meta.yaml](src/assets/meta.yaml) file with your unique team definitions. From a7fee252835de0a90238d14e088c8b0b16970b94 Mon Sep 17 00:00:00 2001 From: "vegard.bakke" Date: Tue, 23 Sep 2025 20:03:56 +0200 Subject: [PATCH 05/23] Support deployments to URL subfolders --- INSTALL.md | 4 +++- src/app/service/loader/data-loader.service.ts | 2 +- src/app/service/yaml-loader/yaml-loader.service.ts | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 43cef6039..cd54725fe 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -23,7 +23,6 @@ If you want to override the default `generated.yaml` you can mount this file whe **NB!** Note that the docker command requires an absolute path to the local file. (Hence, the use of the `$PWD` variable. On Windows, substitute `$PWD` with `%CD%`.) - ## Amazon EC2 Instance 1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_ @@ -57,6 +56,9 @@ ng build ``` The files that were created in the subfolder `dist` +If your DSOMM application is having a subfolder in the URL (e.g. https://server.local/our-dsomm), you need to build the Angular application to prepare for this. In that case build the application by using `ng build --base-href /our-dsomm/`. + + ## Teams and Groups To customize these teams, you can create your own [meta.yaml](src/assets/meta.yaml) file with your unique team definitions. diff --git a/src/app/service/loader/data-loader.service.ts b/src/app/service/loader/data-loader.service.ts index 02620f614..5b5f2d8d9 100644 --- a/src/app/service/loader/data-loader.service.ts +++ b/src/app/service/loader/data-loader.service.ts @@ -14,7 +14,7 @@ export class DataValidationError extends Error { @Injectable({ providedIn: 'root' }) export class LoaderService { - private META_FILE: string = '/assets/YAML/meta.yaml'; + private META_FILE: string = 'assets/YAML/meta.yaml'; private debug: boolean = false; private dataStore: DataStore | null = null; diff --git a/src/app/service/yaml-loader/yaml-loader.service.ts b/src/app/service/yaml-loader/yaml-loader.service.ts index c5f34cda9..6df66f393 100644 --- a/src/app/service/yaml-loader/yaml-loader.service.ts +++ b/src/app/service/yaml-loader/yaml-loader.service.ts @@ -178,7 +178,7 @@ export class YamlService { } public makeFullPath(relativePath: string, relativeTo: string) { - let fullPath = new URL(relativePath, 'https://example.org/.' + relativeTo).pathname; + let fullPath = new URL(relativePath, 'https://example.org/' + relativeTo).pathname?.slice(1); // Make sure the new path does not escape its cage let i = relativeTo.lastIndexOf('/'); From 63999efc062752d0db3e22b7bfa4b1d5debe500f Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 19:05:42 +0200 Subject: [PATCH 06/23] Dependency: Smaller panel, in center --- .../dependency-graph/dependency-graph.component.html | 2 +- .../dependency-graph/dependency-graph.component.ts | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.html b/src/app/component/dependency-graph/dependency-graph.component.html index a5a51e10b..307dabba0 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.html +++ b/src/app/component/dependency-graph/dependency-graph.component.html @@ -1 +1 @@ - + diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 6753eecee..e5b4a6fe5 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -88,9 +88,7 @@ export class DependencyGraphComponent implements OnInit { } generateGraph(activityName: string): void { - let svg = d3.select('svg'), - width = +svg.attr('width'), - height = +svg.attr('height'); + let svg = d3.select('svg'); this.simulation = d3 .forceSimulation() @@ -101,7 +99,7 @@ export class DependencyGraphComponent implements OnInit { }) ) .force('charge', d3.forceManyBody().strength(-12000)) - .force('center', d3.forceCenter(width / 2, height / 2)); + .force('center', d3.forceCenter(0, 0)); svg .append('defs') From 7945999466b47a5a4bfc3668708f8db91cb795fe Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 19:32:56 +0200 Subject: [PATCH 07/23] Dependency: Include dependents, as well as dependsOn --- .../component/dependency-graph/dependency-graph.component.html | 2 +- .../component/dependency-graph/dependency-graph.component.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.html b/src/app/component/dependency-graph/dependency-graph.component.html index 307dabba0..3cef96373 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.html +++ b/src/app/component/dependency-graph/dependency-graph.component.html @@ -1 +1 @@ - + diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index e5b4a6fe5..161123cc1 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -39,7 +39,7 @@ export class DependencyGraphComponent implements OnInit { ngOnInit(): void { this.loader.load().then((dataStore: DataStore) => { - this.dataStore = this.dataStore; + this.dataStore = dataStore; if (!dataStore.activityStore) { throw Error('No activity store loaded'); } From 6fc3242d54510188a80a565679d57a34201cdee4 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 20:00:57 +0200 Subject: [PATCH 08/23] Dependency: Add boxes based on text width --- .../dependency-graph.component.ts | 72 ++++++++++++------- 1 file changed, 48 insertions(+), 24 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 161123cc1..cf5e1942c 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -6,6 +6,7 @@ import { DataStore } from 'src/app/model/data-store'; export interface graphNodes { id: string; + relativeLevel: number; } export interface graphLinks { @@ -58,7 +59,7 @@ export class DependencyGraphComponent implements OnInit { this.addNode(activity.name); if (activity.dependsOn) { for (const prececcor of activity.dependsOn) { - this.addNode(prececcor); + this.addNode(prececcor, -1); this.graphData['links'].push({ source: prececcor, target: activity.name, @@ -71,7 +72,7 @@ export class DependencyGraphComponent implements OnInit { const all: Activity[] = this.dataStore.activityStore?.getAllActivities?.() ?? []; for (const activity of all) { if (activity.dependsOn?.includes(currentActivity.name)) { - this.addNode(activity.name); + this.addNode(activity.name, 1); this.graphData['links'].push({ source: currentActivity.name, target: activity.name, @@ -80,9 +81,9 @@ export class DependencyGraphComponent implements OnInit { } } - addNode(activityName: string) { + addNode(activityName: string, relativeLevel: number = 0): void { if (!this.visited.has(activityName)) { - this.graphData['nodes'].push({ id: activityName }); + this.graphData['nodes'].push({ id: activityName, relativeLevel: relativeLevel }); this.visited.add(activityName); } } @@ -92,13 +93,16 @@ export class DependencyGraphComponent implements OnInit { this.simulation = d3 .forceSimulation() - .force( - 'link', - d3.forceLink().id(function (d: any) { + .force('link', d3.forceLink().id(function (d: any) { return d.id; - }) - ) - .force('charge', d3.forceManyBody().strength(-12000)) + })) + .force('x', d3.forceX((d: any) => { + return d.relativeLevel * 300; + }).strength(10)) + .force('y', d3.forceY((d: any) => { + return d.relativeLevel * 30; + }).strength(10)) + .force('charge', d3.forceManyBody().strength(-8000)) .force('center', d3.forceCenter(0, 0)); svg @@ -137,22 +141,42 @@ export class DependencyGraphComponent implements OnInit { .append('g'); /* eslint-enable */ - var defaultNodeColor = this.COLOR_OF_NODE; - node - .append('circle') - .attr('r', 10) - .attr('fill', function (d) { - if (d.id == activityName) return 'yellow'; - else return defaultNodeColor; - }); - node - .append('text') - .attr('dy', '.35em') + + var defaultNodeColor = this.COLOR_OF_NODE; + const rectHeight = 30; + const rectRx = 10; + const rectRy = 10; + const padding = 20; + + // Append text first so we can measure it + node.append('text') + .attr('dy', '0.35em') .attr('text-anchor', 'middle') - .text(function (d) { - return d.id; - }); + .text(function (d) { return d.id; }); + + // Now for each node, measure the text and insert a rect behind it + const self = this; + node.each(function(this: SVGGElement, d: any) { + const textElem = d3.select(this).select('text').node() as SVGTextElement; + let textWidth = 60; // fallback default + if (textElem && textElem.getBBox) { + textWidth = textElem.getBBox().width; + } + const rectWidth = textWidth + padding; + // Insert rect before text + d3.select(this) + .insert('rect', 'text') + .attr('x', -rectWidth / 2) + .attr('y', -rectHeight / 2) + .attr('width', rectWidth) + .attr('height', rectHeight) + .attr('rx', rectRx) + .attr('ry', rectRy) + .attr('fill', (d: any) => d.id == activityName ? 'yellow' : defaultNodeColor) + .attr('stroke', self.BORDER_COLOR_OF_NODE) + .attr('stroke-width', 1.5); + }); this.simulation.nodes(this.graphData['nodes']).on('tick', ticked); From eef6df47ecb75ccd6eb25272f8996cadaf11fe75 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 20:59:00 +0200 Subject: [PATCH 09/23] Dependency: Improve layout --- .../dependency-graph.component.html | 2 +- .../dependency-graph.component.ts | 152 +++++++++++++++--- 2 files changed, 135 insertions(+), 19 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.html b/src/app/component/dependency-graph/dependency-graph.component.html index 3cef96373..88e1f241f 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.html +++ b/src/app/component/dependency-graph/dependency-graph.component.html @@ -1 +1 @@ - + diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index cf5e1942c..07f15adfb 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -7,6 +7,7 @@ import { DataStore } from 'src/app/model/data-store'; export interface graphNodes { id: string; relativeLevel: number; + relativeCount: number; } export interface graphLinks { @@ -25,9 +26,10 @@ export interface graph { styleUrls: ['./dependency-graph.component.css'], }) export class DependencyGraphComponent implements OnInit { - SIZE_OF_NODE: number = 10; COLOR_OF_LINK: string = 'black'; - COLOR_OF_NODE: string = '#55bc55'; + COLOR_OF_NODE: string = '#66bb6a'; + COLOR_OF_PREDECESSOR: string = '#deeedeff'; + COLOR_OF_SUCCESSOR: string = '#fdfdfdff'; BORDER_COLOR_OF_NODE: string = 'black'; simulation: any; dataStore: Partial = {}; @@ -58,8 +60,9 @@ export class DependencyGraphComponent implements OnInit { populateGraphWithActivitiesCurrentActivityDependsOn(activity: Activity): void { this.addNode(activity.name); if (activity.dependsOn) { + let i: number = 1; for (const prececcor of activity.dependsOn) { - this.addNode(prececcor, -1); + this.addNode(prececcor, -1, i++); this.graphData['links'].push({ source: prececcor, target: activity.name, @@ -70,9 +73,10 @@ export class DependencyGraphComponent implements OnInit { populateGraphWithActivitiesThatDependsOnCurrentActivity(currentActivity: Activity) { const all: Activity[] = this.dataStore.activityStore?.getAllActivities?.() ?? []; + let i: number = 1; for (const activity of all) { if (activity.dependsOn?.includes(currentActivity.name)) { - this.addNode(activity.name, 1); + this.addNode(activity.name, 1, i++); this.graphData['links'].push({ source: currentActivity.name, target: activity.name, @@ -81,9 +85,9 @@ export class DependencyGraphComponent implements OnInit { } } - addNode(activityName: string, relativeLevel: number = 0): void { + addNode(activityName: string, relativeLevel: number = 0, relativeCount: number = 0): void { if (!this.visited.has(activityName)) { - this.graphData['nodes'].push({ id: activityName, relativeLevel: relativeLevel }); + this.graphData['nodes'].push({ id: activityName, relativeLevel, relativeCount }); this.visited.add(activityName); } } @@ -91,18 +95,22 @@ export class DependencyGraphComponent implements OnInit { generateGraph(activityName: string): void { let svg = d3.select('svg'); + + // Now that rectWidth is set on each node, set up the simulation this.simulation = d3 .forceSimulation() .force('link', d3.forceLink().id(function (d: any) { return d.id; - })) + }).strength(0.1)) .force('x', d3.forceX((d: any) => { - return d.relativeLevel * 300; - }).strength(10)) - .force('y', d3.forceY((d: any) => { - return d.relativeLevel * 30; - }).strength(10)) - .force('charge', d3.forceManyBody().strength(-8000)) + let col: number = 7; + return d.relativeLevel * Math.ceil(d.relativeCount / col) * 300; + }).strength(5)) + // .force('y', d3.forceY((d: any) => { + // return d.relativeLevel * 30; + // }).strength(10)) + .force('charge', d3.forceManyBody().strength(-80)) + .force('collide', d3.forceCollide((d: any) => 30)) .force('center', d3.forceCenter(0, 0)); svg @@ -110,12 +118,12 @@ export class DependencyGraphComponent implements OnInit { .append('marker') .attr('id', 'arrowhead') .attr('viewBox', '-0 -5 10 10') - .attr('refX', 18) + .attr('refX', 0) .attr('refY', 0) .attr('orient', 'auto') .attr('markerWidth', 13) .attr('markerHeight', 13) - .attr('xoverflow', 'visible') + .attr('overflow', 'visible') .append('svg:path') .attr('d', 'M 0,-5 L 10 ,0 L 0,5') .attr('fill', this.COLOR_OF_LINK) @@ -143,7 +151,6 @@ export class DependencyGraphComponent implements OnInit { - var defaultNodeColor = this.COLOR_OF_NODE; const rectHeight = 30; const rectRx = 10; const rectRy = 10; @@ -164,6 +171,7 @@ export class DependencyGraphComponent implements OnInit { textWidth = textElem.getBBox().width; } const rectWidth = textWidth + padding; + d.rectWidth = rectWidth; // Store for collision force // Insert rect before text d3.select(this) .insert('rect', 'text') @@ -173,16 +181,65 @@ export class DependencyGraphComponent implements OnInit { .attr('height', rectHeight) .attr('rx', rectRx) .attr('ry', rectRy) - .attr('fill', (d: any) => d.id == activityName ? 'yellow' : defaultNodeColor) + .attr('fill', (d: any) => { + if (d.relativeLevel == 0) return self.COLOR_OF_NODE; + return d.relativeLevel < 0 ? self.COLOR_OF_PREDECESSOR : self.COLOR_OF_SUCCESSOR; + }) .attr('stroke', self.BORDER_COLOR_OF_NODE) .attr('stroke-width', 1.5); }); - this.simulation.nodes(this.graphData['nodes']).on('tick', ticked); + this.simulation.nodes(this.graphData['nodes']).on('tick',() => { + self.rectCollide(this.graphData['nodes']); + ticked(); + }); this.simulation.force('link').links(this.graphData['links']); function ticked() { + + + // Improved rectangle edge intersection for arrowhead placement + function rectEdgeIntersection(sx: number, sy: number, tx: number, ty: number, rectWidth: number, rectHeight: number, offset: number = 0) { + // Rectangle centered at (tx, ty) + const dx = tx - sx; + const dy = ty - sy; + const w = rectWidth / 2; + const h = rectHeight / 2; + // Parametric line: (sx, sy) + t*(dx, dy), t in [0,1] + // Find smallest t in (0,1] where line crosses rectangle edge + let tMin = 1; + // Left/right sides + if (dx !== 0) { + let t1 = (w - (sx - tx)) / dx; + let y1 = sy + t1 * dy; + if (t1 > 0 && Math.abs(y1 - ty) <= h) tMin = Math.min(tMin, t1); + let t2 = (-w - (sx - tx)) / dx; + let y2 = sy + t2 * dy; + if (t2 > 0 && Math.abs(y2 - ty) <= h) tMin = Math.min(tMin, t2); + } + // Top/bottom sides + if (dy !== 0) { + let t3 = (h - (sy - ty)) / dy; + let x3 = sx + t3 * dx; + if (t3 > 0 && Math.abs(x3 - tx) <= w) tMin = Math.min(tMin, t3); + let t4 = (-h - (sy - ty)) / dy; + let x4 = sx + t4 * dx; + if (t4 > 0 && Math.abs(x4 - tx) <= w) tMin = Math.min(tMin, t4); + } + // Clamp tMin to [0,1] + tMin = Math.max(0, Math.min(1, tMin)); + // Move intersection back by 'offset' pixels along the direction from target to source + let px = sx + dx * tMin; + let py = sy + dy * tMin; + if (offset > 0 && (dx !== 0 || dy !== 0)) { + const len = Math.sqrt(dx * dx + dy * dy); + px -= (dx / len) * offset; + py -= (dy / len) * offset; + } + return { x: px, y: py }; + } + link .attr('x1', function (d: any) { return d.source.x; @@ -191,9 +248,26 @@ export class DependencyGraphComponent implements OnInit { return d.source.y; }) .attr('x2', function (d: any) { + // If target has rectWidth, adjust arrow to edge minus offset + if (d.target.rectWidth) { + const pt = rectEdgeIntersection( + d.source.x, d.source.y, + d.target.x, d.target.y, + d.target.rectWidth, 30, 10 // rectHeight, offset + ); + return pt.x; + } return d.target.x; }) .attr('y2', function (d: any) { + if (d.target.rectWidth) { + const pt = rectEdgeIntersection( + d.source.x, d.source.y, + d.target.x, d.target.y, + d.target.rectWidth, 30, 10 + ); + return pt.y; + } return d.target.y; }); @@ -202,4 +276,46 @@ export class DependencyGraphComponent implements OnInit { }); } } + + /** + * Custom rectangular collision force for D3 simulation. + * Pushes nodes apart if their rectangles (boxes) overlap. + * Assumes each node has .x, .y, and .rectWidth properties. + * Uses a fixed rectHeight of 30 (half = 15). + * @param nodes Array of node objects + */ + rectCollide(nodes: any[]) { + // Loop through all pairs of nodes + let node, nx1, nx2, ny1, ny2, other, ox1, ox2, oy1, oy2, i, n = nodes.length; + for (i = 0; i < n; ++i) { + node = nodes[i]; + // Calculate bounding box for node + nx1 = node.x - node.rectWidth / 2; + nx2 = node.x + node.rectWidth / 2; + ny1 = node.y - 15; // rectHeight / 2 + ny2 = node.y + 15; + for (let j = i + 1; j < n; ++j) { + other = nodes[j]; + // Calculate bounding box for other node + ox1 = other.x - other.rectWidth / 2; + ox2 = other.x + other.rectWidth / 2; + oy1 = other.y - 15; + oy2 = other.y + 15; + // Check for overlap between rectangles + if (nx1 < ox2 && nx2 > ox1 && ny1 < oy2 && ny2 > oy1) { + // Overlap detected, push nodes apart along the direction between them + let dx = (node.x - other.x) || (Math.random() - 0.5); + let dy = (node.y - other.y) || (Math.random() - 0.5); + let l = Math.sqrt(dx * dx + dy * dy); + let moveX = dx / l || 1; + let moveY = dy / l || 1; + node.x += moveX; + node.y += moveY; + other.x -= moveX; + other.y -= moveY; + } + } + } + } } + From 9934322186e5c3575221d8b6655f5132b3fe8d36 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 21:01:47 +0200 Subject: [PATCH 10/23] Linting --- .../dependency-graph.component.ts | 94 +++++++++++++------ 1 file changed, 66 insertions(+), 28 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 07f15adfb..eccaec7e2 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -95,22 +95,35 @@ export class DependencyGraphComponent implements OnInit { generateGraph(activityName: string): void { let svg = d3.select('svg'); - // Now that rectWidth is set on each node, set up the simulation this.simulation = d3 .forceSimulation() - .force('link', d3.forceLink().id(function (d: any) { - return d.id; - }).strength(0.1)) - .force('x', d3.forceX((d: any) => { - let col: number = 7; - return d.relativeLevel * Math.ceil(d.relativeCount / col) * 300; - }).strength(5)) + .force( + 'link', + d3 + .forceLink() + .id(function (d: any) { + return d.id; + }) + .strength(0.1) + ) + .force( + 'x', + d3 + .forceX((d: any) => { + let col: number = 7; + return d.relativeLevel * Math.ceil(d.relativeCount / col) * 300; + }) + .strength(5) + ) // .force('y', d3.forceY((d: any) => { // return d.relativeLevel * 30; // }).strength(10)) .force('charge', d3.forceManyBody().strength(-80)) - .force('collide', d3.forceCollide((d: any) => 30)) + .force( + 'collide', + d3.forceCollide((d: any) => 30) + ) .force('center', d3.forceCenter(0, 0)); svg @@ -149,22 +162,23 @@ export class DependencyGraphComponent implements OnInit { .append('g'); /* eslint-enable */ - - const rectHeight = 30; const rectRx = 10; const rectRy = 10; const padding = 20; // Append text first so we can measure it - node.append('text') + node + .append('text') .attr('dy', '0.35em') .attr('text-anchor', 'middle') - .text(function (d) { return d.id; }); + .text(function (d) { + return d.id; + }); // Now for each node, measure the text and insert a rect behind it const self = this; - node.each(function(this: SVGGElement, d: any) { + node.each(function (this: SVGGElement, d: any) { const textElem = d3.select(this).select('text').node() as SVGTextElement; let textWidth = 60; // fallback default if (textElem && textElem.getBBox) { @@ -189,7 +203,7 @@ export class DependencyGraphComponent implements OnInit { .attr('stroke-width', 1.5); }); - this.simulation.nodes(this.graphData['nodes']).on('tick',() => { + this.simulation.nodes(this.graphData['nodes']).on('tick', () => { self.rectCollide(this.graphData['nodes']); ticked(); }); @@ -197,10 +211,16 @@ export class DependencyGraphComponent implements OnInit { this.simulation.force('link').links(this.graphData['links']); function ticked() { - - // Improved rectangle edge intersection for arrowhead placement - function rectEdgeIntersection(sx: number, sy: number, tx: number, ty: number, rectWidth: number, rectHeight: number, offset: number = 0) { + function rectEdgeIntersection( + sx: number, + sy: number, + tx: number, + ty: number, + rectWidth: number, + rectHeight: number, + offset: number = 0 + ) { // Rectangle centered at (tx, ty) const dx = tx - sx; const dy = ty - sy; @@ -251,9 +271,13 @@ export class DependencyGraphComponent implements OnInit { // If target has rectWidth, adjust arrow to edge minus offset if (d.target.rectWidth) { const pt = rectEdgeIntersection( - d.source.x, d.source.y, - d.target.x, d.target.y, - d.target.rectWidth, 30, 10 // rectHeight, offset + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 // rectHeight, offset ); return pt.x; } @@ -262,9 +286,13 @@ export class DependencyGraphComponent implements OnInit { .attr('y2', function (d: any) { if (d.target.rectWidth) { const pt = rectEdgeIntersection( - d.source.x, d.source.y, - d.target.x, d.target.y, - d.target.rectWidth, 30, 10 + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 ); return pt.y; } @@ -286,7 +314,18 @@ export class DependencyGraphComponent implements OnInit { */ rectCollide(nodes: any[]) { // Loop through all pairs of nodes - let node, nx1, nx2, ny1, ny2, other, ox1, ox2, oy1, oy2, i, n = nodes.length; + let node, + nx1, + nx2, + ny1, + ny2, + other, + ox1, + ox2, + oy1, + oy2, + i, + n = nodes.length; for (i = 0; i < n; ++i) { node = nodes[i]; // Calculate bounding box for node @@ -304,8 +343,8 @@ export class DependencyGraphComponent implements OnInit { // Check for overlap between rectangles if (nx1 < ox2 && nx2 > ox1 && ny1 < oy2 && ny2 > oy1) { // Overlap detected, push nodes apart along the direction between them - let dx = (node.x - other.x) || (Math.random() - 0.5); - let dy = (node.y - other.y) || (Math.random() - 0.5); + let dx = node.x - other.x || Math.random() - 0.5; + let dy = node.y - other.y || Math.random() - 0.5; let l = Math.sqrt(dx * dx + dy * dy); let moveX = dx / l || 1; let moveY = dy / l || 1; @@ -318,4 +357,3 @@ export class DependencyGraphComponent implements OnInit { } } } - From 3548fd223d5cf91ba490d6e71eb7533b4d03c2ad Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Wed, 24 Sep 2025 21:14:42 +0200 Subject: [PATCH 11/23] Fixed unit test --- src/app/service/yaml-loader/yaml-loader.service.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/app/service/yaml-loader/yaml-loader.service.spec.ts b/src/app/service/yaml-loader/yaml-loader.service.spec.ts index 9c0dde423..787f70f00 100644 --- a/src/app/service/yaml-loader/yaml-loader.service.spec.ts +++ b/src/app/service/yaml-loader/yaml-loader.service.spec.ts @@ -25,7 +25,7 @@ describe('YamlLoaderService', () => { providers: [YamlService], }); service = TestBed.inject(YamlService); - (service as any)._refs['/external.yaml'] = parse(mockReferencedYaml); + (service as any)._refs['external.yaml'] = parse(mockReferencedYaml); }); it('should be created', () => { From 49b558e306aaf23a7d5699ef2cc797eaa70865de Mon Sep 17 00:00:00 2001 From: "vegard.bakke" Date: Mon, 22 Sep 2025 09:57:54 +0200 Subject: [PATCH 12/23] Activities: Updated to v4 level 1 review --- src/assets/YAML/default/activities.yaml | 700 +++++++++++++++++------- 1 file changed, 507 insertions(+), 193 deletions(-) diff --git a/src/assets/YAML/default/activities.yaml b/src/assets/YAML/default/activities.yaml index 5f0ac8637..418330a87 100644 --- a/src/assets/YAML/default/activities.yaml +++ b/src/assets/YAML/default/activities.yaml @@ -1,8 +1,4 @@ --- -#meta: - #source: https://raw.githubusercontent.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/refs/heads/main/src/assets/YAML/generated/generated.yaml - #version: 1.15.2 - Build and Deployment: Build: Building and testing of artifacts in virtual environments: @@ -56,25 +52,34 @@ Build and Deployment: C: false Defined build process: uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b - description: "A *build process* include more than just compiling your source - code. \nIt also includes steps such as managing (third party) dependencies, - \nenvironment configuration, running the unit tests, etc. \n\nA *defined build - process* has automated these steps to ensure consistency.\n\nThis can be done - with a Jenkinsfile, Maven, or similar tools.\n" - risk: Performing builds without a defined process is error prone; for example, - as a result of incorrect security related configuration. - measure: A well defined build process lowers the possibility of errors during - the build process. + description: | + A *build process* includes more than just compiling your source code. It also covers: + - Managing (third party) dependencies + - Environment configuration + - Running unit and integration tests + - Security scanning and compliance checks + - Artifact creation and storage + - Deployment preparation + + A *defined build process* automates these steps to ensure consistency, reproducibility, and security. Automation reduces human error and enforces security controls. Use tools such as Jenkins, GitHub Actions, GitLab CI, or Maven to codify the process. + risk: Performing builds without a defined and automated process is error-prone + and increases the risk of security misconfigurations, unauthorized changes, + and supply chain attacks. + measure: A well-defined, automated, and auditable build process lowers the possibility + of errors and unauthorized changes during the build process. It also enables + traceability and rapid response to incidents. + level: 1 difficultyOfImplementation: knowledge: 2 time: 3 resources: 2 usefulness: 4 - level: 1 assessment: | - - Show your build pipeline and an exemplary job (build + test). - - Show that every team member has access. - - Show that failed jobs are fixed. + - Show your build pipeline configuration (e.g., Jenkinsfile, GitHub Actions workflow) and an exemplary job (build + test + security scan). + - Demonstrate that every team member has appropriate access (least privilege). + - Show that failed jobs are investigated and fixed promptly. + - Provide audit logs or evidence of build runs and changes. + - Document how security controls are enforced in the build process. Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/) implementation: @@ -184,9 +189,20 @@ Build and Deployment: resources: 3 usefulness: 3 level: 2 - implementation: [] + implementation: + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: Trivy + tags: [] + url: https://github.com/aquasecurity/trivy + - uuid: 7543a6f2-3850-47a9-bb2f-0987e2af6f6a + name: Syft + tags: + - sbom + - dependency + url: https://github.com/anchore/syft references: - samm2: [] + samm2: + - I-SB-1-A iso27001-2017: - 8.1 - 8.2 @@ -320,7 +336,7 @@ Build and Deployment: - Smoke Test references: samm2: - - TODO + - I-SD-2-A iso27001-2017: - 17.2.1 - 12.1.1 @@ -381,18 +397,21 @@ Build and Deployment: C: false Defined deployment process: uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a - risk: Deployment of insecure or malfunctioning artifacts. + description: | + A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes. This process should include validation, approval, and rollback mechanisms. + risk: Deployment based human routines are error prone, and of insecure or malfunctioning + artifacts. measure: Defining a deployment process ensures that there are established criteria in terms of functionalities, security, compliance, and performance, and that the artifacts meet them. + level: 1 difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 usefulness: 4 - level: 1 dependsOn: - - Defined build process + - f6f7737f-25a9-4317-8de2-09bf59f29b5b implementation: - uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4 name: CI/CD tools @@ -415,6 +434,12 @@ Build and Deployment: - 8.32 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/74938a3f-1269-49b9-9d0f-c43a79a1985a + assessment: | + - Deployment process is documented and available to relevant staff + - All deployment steps are automated and version-controlled + - Approvals and access controls are enforced for production deployments + - Rollback procedures are defined and tested + - Deployment logs and evidence are retained for audit purposes comments: "" tags: - none @@ -568,7 +593,7 @@ Build and Deployment: exists (gathered manually or automatically). dependsOn: - Defined deployment process - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f difficultyOfImplementation: knowledge: 2 time: 2 @@ -608,7 +633,7 @@ Build and Deployment: Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SD-2-A + - I-SB-1-B iso27001-2017: - 8.1 - 8.2 @@ -625,6 +650,8 @@ Build and Deployment: C: false Inventory of production components: uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f + description: | + An inventory of production components is a complete, up-to-date list of all applications and services running in production. This enables effective vulnerability management, incident response, and compliance. Without it, organizations risk running unmaintained or unauthorized software. risk: An organization is unaware of components like applications in production. Not knowing existing applications in production leads to not assessing it. measure: |- @@ -632,12 +659,12 @@ Build and Deployment: In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track. dependsOn: - Defined deployment process + level: 1 difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 usefulness: 4 - level: 1 implementation: - uuid: 2210e02b-a856-4da4-8732-5acd77e20fca name: Backstage @@ -671,7 +698,7 @@ Build and Deployment: Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SD-2-A + - I-SB-1-B iso27001-2017: - 8.1 - 8.2 @@ -680,6 +707,12 @@ Build and Deployment: - 5.12 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Deployment/2a44b708-734f-4463-b0cb-86dc46344b2f + assessment: | + - Inventory of all production components exists and is regularly updated + - Inventory includes key metadata (e.g., version, owner, deployment date) + - Inventory is accessible to security and operations teams + - There is a process for adding, updating, and removing components + - Inventory reviews are performed and documented tags: - inventory teamsImplemented: @@ -694,7 +727,7 @@ Build and Deployment: measure: A documented inventory of dependencies used in artifacts like container images and containers exists. dependsOn: - - Inventory of production artifacts + - 83057028-0b77-4d2e-8135-40969768ae88 - SBOM of components difficultyOfImplementation: knowledge: 2 @@ -735,7 +768,9 @@ Build and Deployment: Collects namespaces and namespaces including responsible team and contact info through annotations/labels from Kubernetes clusters. Results are available in JSON and can be uploaded to S3, github and an API. references: samm2: - - I-SD-2-A + - I-SB-3-B + - I-SB-2-B + - I-SB-1-B iso27001-2017: - 8.1 - 8.2 @@ -864,7 +899,8 @@ Build and Deployment: dependsOn: - Same artifact for environments references: - samm2: [] + samm2: + - I-SD-2-A iso27001-2017: - 14.3.1 - 14.2.8 @@ -888,15 +924,23 @@ Build and Deployment: Patch Management: A patch policy is defined: uuid: 99415139-6b50-441b-89e1-0aa59accd43d - risk: Vulnerabilities in running artifacts stay for long and might get exploited. - measure: A patch policy for all artifacts (e.g. in images) is defined. How often - is an image rebuilt? + description: | + A patch policy defines how and when software components, images, and dependencies are updated. A patch policy ensures that all these artifacts are regularly reviewed and updated, reducing the window of exposure to known threats. The policy should specify the frequency, responsibilities, and documentation requirements for patching. + risk: Vulnerabilities in running artifacts may persist for a long time and might + be exploited. + measure: Define a patch policy for all artifacts (e.g. in images) is defined. + How often is an image rebuilt? + assessment: | + - Patch policy is documented and accessible to relevant staff. + - The policy defines patch frequency and responsible roles. + - Patch actions and exceptions are logged and reviewed. + - Evidence of regular patching and policy review is available. + level: 1 difficultyOfImplementation: knowledge: 3 time: 1 resources: 2 usefulness: 4 - level: 1 implementation: [] references: samm2: @@ -921,17 +965,27 @@ Build and Deployment: C: false Automated PRs for patches: uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488 - risk: Components with known (or unknown) vulnerabilities might stay for long - and get exploited, even when a patch is available. - measure: |- - Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes - * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform) + description: | + Automated PRs for patches ensure that updates for outdated or vulnerable dependencies are created and proposed without manual intervention. Tools continuously monitor for new versions or security advisories and immediately generate pull requests to update affected components in code, container images, or infrastructure. This process ensures that available patches are quickly visible to developers and can be reviewed and merged with minimal delay, reducing the risk window for known vulnerabilities. + risk: | + Components with known (or unknown) vulnerabilities might persist for a long time and be exploited, even when a patch is available. + measure: | + Fast patching of third-party components is needed. The DevOps way is to have an automated pull request for new components. This includes: + * Applications + * Virtualized operating system components (e.g., container images) + * Operating systems + * Infrastructure as Code/GitOps (e.g., ArgoCD based on a git repository or Terraform) + assessment: | + - Automated PR tooling is enabled for all relevant repositories. + - PRs are created automatically for outdated or vulnerable dependencies. + - PRs are reviewed and merged in a timely manner. + - Evidence of automated PRs and patching activity is available. + level: 1 difficultyOfImplementation: knowledge: 2 time: 2 resources: 2 usefulness: 4 - level: 1 implementation: - uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4 name: dependabot @@ -1390,16 +1444,62 @@ Culture and Organization: C: false Conduction of simple threat modeling on technical level: uuid: 47419324-e263-415b-815d-e7161b6b905e + description: | + # OWASP SAMM Description + Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. + + Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system. + + At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use. + + Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. + + Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/ + # OWASP Project Integration Description + There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. + + A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). + + OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). + + There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another. + + > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._ + + ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") + + Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. + + ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") + + This practice has the side effect that it trains non-security specialists to think like attackers. + + The outcomes of this stage should help lay the foundation of secure design and considerations. + + **Example Low Maturity Scenario:** + + Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. + + Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext. + + Frontend serves data over GraphQL as a thin layer between caching system and end user. + + GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. + + Source: OWASP Project Integration Project risk: Technical related threats are discovered too late in the development and deployment process. - measure: Threat modeling of technical features is performed during the product - sprint planning. + measure: | + Perform threat modeling of technical features during product sprint planning using simple checklists and diagrams. Document identified threats and mitigations for new or changed functionality. + assessment: | + - Evidence of threat modeling activities exists for high-risk applications, including annotated diagrams and documented threats/mitigations. + - Activities are performed during sprint planning and involve relevant stakeholders. Outcomes are recorded and accessible for review. + level: 1 difficultyOfImplementation: knowledge: 2 time: 3 resources: 1 usefulness: 3 - level: 1 implementation: - uuid: c0533602-11b7-4838-93cc-a40556398163 name: Whiteboard @@ -1447,49 +1547,6 @@ Culture and Organization: - storage - cluster - kubernetes - description: | - # OWASP SAMM Description - Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment. - - Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system. - - At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use. - - Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage. - - Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/ - # OWASP Project Integration Description - There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. - - A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). - - OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). - - There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another. - - > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._ - - ![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") - - Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. - - ![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") - - This practice has the side effect that it trains non-security specialists to think like attackers. - - The outcomes of this stage should help lay the foundation of secure design and considerations. - - **Example Low Maturity Scenario:** - - Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. - - Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext. - - Frontend serves data over GraphQL as a thin layer between caching system and end user. - - GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes. - - Source: OWASP Project Integration Project references: samm2: - D-TA-2-B @@ -1672,7 +1729,8 @@ Culture and Organization: level: 2 implementation: [] references: - samm2: [] + samm2: + - G-PS-2 iso27001-2017: - 5.1.1 - 7.2.1 @@ -1691,17 +1749,23 @@ Culture and Organization: Education and Guidance: Ad-Hoc Security trainings for software developers: uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298 - risk: Understanding security is hard and personnel needs to be trained on it. - Otherwise, flaws like an SQL Injection might be introduced into the software - which might get exploited. - measure: Provide security awareness training for all personnel involved in software - development Ad-Hoc. + description: | + Ad-hoc security training provides basic awareness of software security risks and best practices to developers and other personnel involved in software development. These trainings are delivered as needed, without a fixed schedule, to address immediate knowledge gaps or respond to emerging threats. + risk: | + Without any security training, personnel may lack awareness of common software vulnerabilities (such as SQL Injection and vulnerable dependencies), increasing the risk of introducing exploitable flaws into applications. + measure: | + Provide security awareness training for all personnel involved in software development on an ad-hoc basis, ensuring that relevant topics are covered when new risks or needs are identified. + assessment: | + - Conduct security training for developers and relevant personnel + - Participants can identify common software security risks addressed in the training + - Training materials are available + - Attendance records are available + level: 1 difficultyOfImplementation: knowledge: 2 time: 1 resources: 1 usefulness: 3 - level: 1 implementation: - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a name: OWASP Juice Shop @@ -1713,6 +1777,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2005,16 +2070,17 @@ Culture and Organization: [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2046,15 +2112,15 @@ Culture and Organization: usefulness: 4 level: 4 implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" - - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba - name: https://cheatsheetseries.owasp.org/ + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series tags: - training - secure coding @@ -2093,6 +2159,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ dependsOn: @@ -2256,20 +2323,25 @@ Culture and Organization: C: false Security consulting on request: uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0 - risk: Not asking a security expert when questions regarding security appear - might lead to flaws. - measure: Security consulting to teams is given on request. The security consultants - can be internal or external. + level: 1 + description: | + Security consulting on request allows teams to seek expert advice on security-related questions or challenges as they arise. This support can be provided by internal or external security consultants and helps address specific concerns during software development. + risk: | + If teams do not consult security experts when questions arise, security flaws may be introduced or remain undetected, increasing the risk of vulnerabilities in the software. + measure: | + Make security consulting available to teams on request, ensuring that expert advice is accessible when needed to address security concerns during development. + assessment: | + Records show that teams have access to security consulting services and have used them when needed. Documentation of consultations and resulting actions is available for review. difficultyOfImplementation: knowledge: 3 time: 1 resources: 1 usefulness: 3 - level: 1 implementation: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2448,23 +2520,23 @@ Culture and Organization: C: false Definition of simple BCDR practices for critical components: uuid: c72da779-86cc-45b1-a339-190ce5093171 - description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan - and a process that helps a business to return to normal operations if a disaster - occurs. - risk: If the disaster recovery actions are not clear, you risk slow reaction - and remediation delays. This applies to cyber attacks as well as natural emergencies, - such as a power outage. - measure: By understanding and documenting a business continuity and disaster - recovery (BCDR) plan, the overall availability of systems and applications - is increased. Success factors like responsibilities, Service Level Agreements, - Recovery Point Objectives, Recovery Time Objectives or Failover must be fully - documented and understood by the people involved in the recovery. + description: | + Business Continuity and Disaster Recovery (BCDR) is a plan and a process that enable an organization to quickly restore normal operations after a disruptive event, such as a cyberattack or natural disaster. + risk: | + If the disaster recovery actions are not clear, you risk slow reaction and remediation delays. + This applies to cyber attacks as well as natural emergencies, such as a power outage. + measure: | + Develop, document, and communicate a BCDR plan for all critical components. The plan must define roles and responsibilities, Service Level Agreements (SLAs), Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), and failover procedures. Ensure all relevant personnel are trained and the plan is reviewed and updated regularly. + assessment: "- The organization has a documented BCDR plan covering all critical + components.\n- The plan clearly defines responsibilities, SLAs, RPOs, RTOs, + and failover steps. \n- Relevant staff are aware of the plan, and evidence + of regular review and testing is available.\n" + level: 1 difficultyOfImplementation: knowledge: 4 time: 3 resources: 2 usefulness: 4 - level: 1 implementation: [] references: samm2: [] @@ -2496,7 +2568,7 @@ Culture and Organization: usefulness: 3 level: 2 dependsOn: - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb name: OWASP DefectDojo @@ -3104,7 +3176,7 @@ Implementation: usefulness: 3 level: 3 dependsOn: - - Require a PR before merging + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies @@ -3150,7 +3222,7 @@ Implementation: usefulness: 4 level: 3 dependsOn: - - Require a PR before merging + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies @@ -3292,7 +3364,7 @@ Implementation: usefulness: 4 level: 3 dependsOn: - - Require a PR before merging + - e7598ac4-b082-4e56-b7df-e2c6b426a5e2 implementation: - uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a name: Improve code quality with branch policies @@ -3476,7 +3548,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -3587,7 +3659,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -4053,7 +4125,7 @@ Implementation: Default: false B: false C: false - Usage of a chaos monkey: + Usage of a chaos technology: uuid: f8e80f18-2503-4e3e-b3bc-7f67bb28defe risk: Due to manual changes on a system, they are not replaceable anymore. In case of a crash it might happen that a planned redundant system is unavailable. @@ -4066,7 +4138,18 @@ Implementation: resources: 5 usefulness: 3 level: 4 - implementation: [] + implementation: + - uuid: c117e79b-8223-4e55-9da5-efbf5d741c15 + name: Chaos Monkey + tags: + - chaos + - testing + url: https://github.com/Netflix/chaosmonkey + description: Chaos Monkey is a resiliency tool that helps applications tolerate + random instance failures. Chaos Monkey randomly terminates virtual machine + instances and containers that run inside of your production environment. + Exposing engineers to failures more frequently incentivizes them to build + resilient services. references: samm2: - O-EM-1-A @@ -4480,17 +4563,20 @@ Information Gathering: C: false Centralized system logging: uuid: 4eced38a-7904-4c45-adb0-50b663065540 - risk: Local stored system logs can be unauthorized manipulated by attackers - or might be corrupt after an incident. In addition, it is hard to perform - a aggregation of logs. - measure: By using centralized logging logs are protected against unauthorized - modification. + description: | + Centralized system logging involves collecting and storing system logs from multiple sources in a secure, central location. This approach improves log integrity, simplifies monitoring, and enables efficient incident response. + risk: | + Locally stored system logs can be manipulated by attackers unauthorized or might be corrupt or lost after an incident. In addition, it is hard to perform aggregation of logs. + measure: | + - Implement a centralized logging solution for all critical systems. + - System logs must be securely transmitted and stored in a central repository, protected from unauthorized access and modification. + - Ensure that log collection is automated and covers all relevant system events. + level: 1 difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 usefulness: 2 - level: 1 implementation: - uuid: 79f88310-d63e-471d-8e63-8c77f2281b66 name: rsyslog @@ -4794,7 +4880,8 @@ Information Gathering: implementation: [] references: samm2: - - I-DM-A 3 + - O-IM-2-A + - I-DM-3-A iso27001-2017: - 16.1.2 - 16.1.4 @@ -5081,8 +5168,11 @@ Information Gathering: C: false Simple application metrics: uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1 - risk: Attacks on an application are not recognized. - measure: |- + description: | + Collecting basic operational data from applications, such as authentication attempts, transaction volumes, and resource usage, will help detect abnormal patterns that may indicate security incidents or system issues. + risk: | + Without monitoring application metrics, attacks or abnormal behaviors may go undetected, increasing the risk of successful exploitation, data breaches, and delayed incident response. + measure: | Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include: - Authentication attempts (successful/failed logins) - Transaction volumes and patterns (e.g. orders, payments) @@ -5095,12 +5185,14 @@ Information Gathering: - A security incident (automated bulk purchase bots, credential stuffing attack) By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response. + assessment: | + - Basic application metrics are collected and reviewed. + level: 1 difficultyOfImplementation: knowledge: 2 time: 2 resources: 2 usefulness: 5 - level: 1 implementation: - uuid: ddf221df-3517-42e4-b23d-c1d9a162744c name: Prometheus @@ -5124,16 +5216,21 @@ Information Gathering: C: false Simple budget metrics: uuid: f08a3219-6941-43ec-8762-4aff739f4664 - risk: Not getting notified about reaching the end of the budget (e.g. due to - a denial of service) creates unexpected costs. - measure: Cloud providers often provide insight into budgets. A threshold and - alarming for the budget is set. + description: | + Monitoring resource usage and costs to prevent unexpected expenses. This is especially important in cloud environments where resource consumption can quickly exceed planned budgets. + risk: | + Failure to monitor budget metrics can result in unexpected costs, financial loss, and potential service disruption due to resource exhaustion or denial-of-service attacks. + measure: | + Set up budget monitoring and alerting for all critical resources. Use provider tools to track spending and configure alerts when thresholds are reached. Implement hard limits where possible to prevent budget overruns. + assessment: | + - The organization regularly monitors budget metrics + - Alerting outside given thresholds are implemented + level: 1 difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 usefulness: 5 - level: 1 implementation: - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 name: collected @@ -5156,19 +5253,21 @@ Information Gathering: C: false Simple system metrics: uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03 - risk: Without simple metrics analysis of incidents are hard. In case an application - uses a lot of CPU from time to time, it is hard for a developer to find out - the source with Linux commands. - measure: Gathering of system metrics helps to identify incidents and specially - bottlenecks like in CPU usage, memory usage and hard disk usage. + description: | + Monitoring basic system performance data, such as CPU, memory, and disk usage, will help identify performance bottlenecks and potential security incidents. + risk: | + Without monitoring system metrics, it is difficult to detect incidents or performance issues, leading to delayed response, reduced availability, and increased risk of undetected attacks. + measure: | + Collect and monitor key system metrics, including CPU, memory, and disk usage. Set up alerts for abnormal resource consumption or patterns that may indicate incidents or attacks. + assessment: | + - Basic system metrics are monitored and reviewed regularly + - Alerting outside given thresholds are implemented + level: 1 difficultyOfImplementation: knowledge: 2 time: 2 resources: 2 usefulness: 5 - assessment: | - Are system metrics gathered? - level: 1 implementation: - uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8 name: collected @@ -5206,7 +5305,8 @@ Information Gathering: implementation: [] references: samm2: - - I-DM-A 3 + - O-IM-2-A + - I-DM-3-A iso27001-2017: - Not explicitly covered by ISO 27001 - too specific - 16.1.5 @@ -5303,6 +5403,7 @@ Information Gathering: references: samm2: - I-DM-3-B + - I-SB-3-B iso27001-2022: - 5.25 - 5.12 @@ -5367,6 +5468,7 @@ Information Gathering: references: samm2: - I-DM-2-B + - I-SB-3-B iso27001-2017: - 16.1.4 - 8.2.3 @@ -5407,6 +5509,7 @@ Information Gathering: references: samm2: - I-DM-3-B + - I-SB-3-B iso27001-2022: - 5.25 - 5.12 @@ -5456,6 +5559,7 @@ Information Gathering: references: samm2: - I-DM-3-B + - I-SB-3-B iso27001-2022: - 5.25 - 5.12 @@ -5492,7 +5596,7 @@ Information Gathering: usefulness: 3 level: 2 dependsOn: - - Automated PRs for patches + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 implementation: [] references: samm2: @@ -5529,8 +5633,8 @@ Information Gathering: usefulness: 3 level: 4 dependsOn: - - Patching mean time to resolution via PR - - Automated PRs for patches + - 86d490b9-d798-4a5b-a011-ab9688014c46 + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 implementation: [] references: samm2: @@ -5601,6 +5705,7 @@ Information Gathering: references: samm2: - I-DM-3-B + - I-SB-3-B iso27001-2022: - 5.25 - 5.12 @@ -5815,6 +5920,77 @@ Test and Verification: Default: false B: false C: false + Artifact-based false positive treatment: + uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + risk: Without artifact-specific false positive handling, teams must repeatedly + triage the same findings across different versions or deployments of the same + component, leading to inefficient use of security resources. + measure: "Implement false positive marking and temporary acceptance of findings + \nbased on specific artifacts (applications, components, or repositories).\nThis + allows teams to suppress findings for specific versions or builds\nwhile maintaining + visibility for future releases." + description: |- + Artifact-based false positive treatment enables more granular control + over finding suppression by linking decisions to specific code artifacts, + container images, or application versions. This approach helps maintain + security oversight while reducing repeated analysis overhead. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple false positive treatment + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + references: + samm2: + - I-DM-2-A + - I-DM-2-B + - I-SB-3-B + iso27001-2017: + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Fix based on accessibility: uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed risk: Overwhelming volume of security findings from automated testing tools. @@ -5834,12 +6010,13 @@ Test and Verification: - The number of network hops required to reach the asset (recommended) - Authentication requirements for access (recommended) dependsOn: - - Treatment of defects with severity high or higher - - Inventory of production components + - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: ~ references: samm2: - I-DM-3-B + - I-SB-3-B iso27001-2017: - 16.1.4 - 8.2.1 @@ -5859,6 +6036,52 @@ Test and Verification: Default: false B: false C: false + Global false positive treatment: + uuid: 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + risk: Without centralized false positive management across environments, organizations + face inconsistent security decisions, duplicated analysis efforts, and potential + security gaps when the same findings are handled differently across applications + and teams. + measure: "Implement global false positive and acceptance management that applies + \nconsistently across all applications. This enables organization-wide security + decisions and reduces redundant \nanalysis of common false positives." + description: "Global false positive treatment allows (security) teams to make + \norganization-wide decisions about specific vulnerabilities or finding \npatterns. + When a finding is marked as a false positive or temporarily \naccepted at + the global level, this decision automatically applies to \nall applications + in the specified environment, ensuring consistency \nand operational efficiency." + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + - 85ba5623-84be-4219-8892-808837be582d + implementation: ~ + references: + samm2: + - I-DM-2-B + - I-DM-3-A + - I-SB-3-B + iso27001-2017: + - 16.1.3 + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 6.8 + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Integration in development process: uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d risk: "Not integrating vulnerability handling into the development process may @@ -6007,6 +6230,7 @@ Test and Verification: references: samm2: - I-DM-2-B + - I-SB-3-B iso27001-2017: - 16.1.4 - 8.2.1 @@ -6028,9 +6252,17 @@ Test and Verification: C: false Simple false positive treatment: uuid: c1acc8af-312e-4503-a817-a26220c993a0 - risk: As false positive occur during each test, all vulnerabilities might be - ignored. Specially, if tests are automated an run daily. - measure: |- + description: "Security tests may produce false positives\u2014findings that + are incorrectly identified as vulnerabilities.\n\nIt is important distinguish + these from true vulnerabilities to avoid wasting time and resources on non-issues.\n\nFalse + positive treatment ensures that findings from security tests are triaged and + documented, allowing teams to distinguish between real vulnerabilities and + false positives. This reduces unnecessary work and helps maintain focus on + true risks.\n\nSome positive findings might be considered an accepted risk + by the organization. This must also be documented.\n" + risk: | + If false positives are not managed, teams may ignore all findings, leading to real vulnerabilities being overlooked and increasing the risk of exploitation. Specially, if tests are automated an run daily. + measure: | Findings from security tests must be triaged and outcomes persisted/documented to: - Prevent re-analysis of known issues in subsequent test runs - Track accepted risks vs false positives @@ -6042,17 +6274,23 @@ Test and Verification: - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html) - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/) - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status) + assessment: | + The organization has a process for triaging and documenting false positives and accepted risks + level: 1 difficultyOfImplementation: knowledge: 1 time: 1 resources: 1 usefulness: 4 - level: 1 implementation: - - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c - name: OWASP Defect Dojo - tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 name: Purify tags: @@ -6164,6 +6402,7 @@ Test and Verification: references: samm2: - I-DM-2-B + - I-SB-3-B iso27001-2017: - 16.1.4 - 12.6.1 @@ -6253,16 +6492,23 @@ Test and Verification: C: false Treatment of defects with severity high or higher: uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385 - risk: Vulnerabilities with severity high or higher are not visible. - measure: Vulnerabilities with severity high or higher are added to the quality - gate. + description: | + All security problems that are rated as "high" or "critical" must be fixed before the software can be released or used in production. This means that if a serious vulnerability is found, it cannot be ignored or postponed. + risk: | + If serious security problems are not fixed, attackers could exploit them to steal data, disrupt services, or cause other harm. Ignoring these issues puts the organization, its customers, and its reputation at risk. + measure: | + - Make it a rule that all high or critical security findings must be fixed before the software is approved for release or use. + - Track these issues and make sure they are resolved quickly. + - Pay extra attention to Known Exploited Vulnerabilities (KEV) from CISA and EPSS scores when prioritizing fixes. + assessment: | + There is clear evidence that all high or critical security issues are tracked and fixed before release. No high or critical issues remain open in production systems. + comments: False positive analysis, specially for static analysis, is time consuming. + level: 1 difficultyOfImplementation: knowledge: 2 time: 2 resources: 1 usefulness: 4 - level: 1 - comments: False positive analysis, specially for static analysis, is time consuming. references: samm2: - I-DM-2-B @@ -6274,7 +6520,24 @@ Test and Verification: - 5.25 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/44f2c8a9-4aaa-4c72-942d-63f78b89f385 - implementation: [] + implementation: + - uuid: aa507341-9531-42cd-95cf-d7b51af47086 + name: Known Exploited Vulnerabilities + tags: + - vulnerability + url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog + description: A catalog of vulnerabilities that have been exploited. + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: Trivy + tags: [] + url: https://github.com/aquasecurity/trivy + - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b + name: Grype + tags: + - sbom + - dependency + - vulnerability + url: https://github.com/anchore/grype tags: - vuln-action - defect-management @@ -6296,6 +6559,7 @@ Test and Verification: references: samm2: - I-DM-2-B + - I-SB-3-B iso27001-2017: - 16.1.4 - 12.6.1 @@ -6325,9 +6589,9 @@ Test and Verification: resources: 2 usefulness: 2 dependsOn: - - Exploit likelihood estimation - - Each team has a security champion - - Office Hours + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad + - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 + - 185d5a74-19dc-4422-be07-44ea35226783 level: 3 description: "For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended.\n\nTo implement a security culture @@ -6360,6 +6624,8 @@ Test and Verification: references: samm2: - I-DM-1-B + - I-SB-2-B + - I-SB-3-B iso27001-2017: - 12.6.1 - 16.1.3 @@ -6949,7 +7215,7 @@ Test and Verification: tags: [] url: https://github.com/controlplaneio/netassert dependsOn: - - Isolated networks for virtual environments + - 4ce24abd-8ba6-494c-828d-4d193e28e4a1 references: samm2: - V-ST-2-A @@ -7107,7 +7373,7 @@ Test and Verification: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static depth for applications/017d9e26-42b5-49a4-b945-9f59b308fb99 dependsOn: - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f tags: - none teamsImplemented: @@ -7202,7 +7468,7 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - Software Composition Analysis (server side) + - d918cd44-a972-43e9-a974-eff3f4a5dcfe implementation: - uuid: aa507341-9531-42cd-95cf-d7b51af47086 name: Known Exploited Vulnerabilities @@ -7220,6 +7486,7 @@ Test and Verification: references: samm2: - V-ST-2-A + - I-SB-3-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7306,8 +7573,8 @@ Test and Verification: level: 3 dependsOn: - Defined build process - - Inventory of production components - - Exploit likelihood estimation + - 2a44b708-734f-4463-b0cb-86dc46344b2f + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad implementation: - uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7 name: retire.js @@ -7342,6 +7609,7 @@ Test and Verification: references: samm2: - V-ST-2-A + - I-SB-2-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7372,7 +7640,7 @@ Test and Verification: level: 2 dependsOn: - Defined build process - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: - uuid: 06334caf-8be6-487a-96b1-d41c7ed5f207 name: OWASP Dependency Check @@ -7412,12 +7680,13 @@ Test and Verification: description: | Dependabot creates pull requests to keep your dependencies secure and up-to-date. - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: https://github.com/aquasecurity/trivy + name: Trivy tags: [] url: https://github.com/aquasecurity/trivy references: samm2: - V-ST-2-A + - I-SB-2-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7444,11 +7713,12 @@ Test and Verification: dependsOn: - Static analysis for important client side components - Static analysis for important server side components - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: [] references: samm2: - V-ST-2-A + - I-SB-3-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7508,10 +7778,11 @@ Test and Verification: dependsOn: - Static analysis for important client side components - Static analysis for important server side components - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f references: samm2: - V-ST-2-A + - I-SB-3-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7575,7 +7846,7 @@ Test and Verification: - sast dependsOn: - Defined build process - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f references: samm2: - V-ST-2-A @@ -7637,10 +7908,11 @@ Test and Verification: - sast dependsOn: - Defined build process - - Inventory of production components + - 2a44b708-734f-4463-b0cb-86dc46344b2f references: samm2: - V-ST-2-A + - I-SB-3-B iso27001-2017: - 12.6.1 iso27001-2022: @@ -7989,7 +8261,7 @@ Test and Verification: often too fine-granular. implementation: - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b - name: https://github.com/aquasecurity/trivy + name: Trivy tags: [] url: https://github.com/aquasecurity/trivy - uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57 @@ -8187,11 +8459,52 @@ Test and Verification: Default: false B: false C: false - Test for stored secrets: + Test for stored secrets in build artifacts: + uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f + risk: Stored secrets in container images or other build artifacts shouldn't + exists because they might be exposed to unauthorized parties. + measure: Test for secrets in container images and other artifacts + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog + tags: [] + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries + tags: [] + url: https://github.com/nccgroup/go-pillage-registries + references: + samm2: + - V-ST-1-A + iso27001-2017: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 + iso27001-2022: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/d5e6303c-d5c6-4d59-b258-a3b9de38a07f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for stored secrets in code: uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c - risk: Stored secrets in git history, in container images or directly in code - shouldn't exists because they might be exposed to unauthorized parties. - measure: Test for secrets in code, container images and history + risk: Stored secrets in git history or directly in code shouldn't exists because + they might be exposed to unauthorized parties. + measure: Test for secrets in code and git history difficultyOfImplementation: knowledge: 2 time: 1 @@ -8578,6 +8891,7 @@ Test and Verification: references: samm2: - I-SB-3-A + - V-ST-3-A iso27001-2017: - 14.2.3 - 14.2.8 From 391fa0a8061fed11dfa7e690a5d71820a539ea77 Mon Sep 17 00:00:00 2001 From: "vegard.bakke" Date: Thu, 25 Sep 2025 22:15:11 +0200 Subject: [PATCH 13/23] Dependency: Fixed nfOnChange --- .../activity-description.component.html | 23 +- .../dependency-graph.component.ts | 306 ++++++++++-------- .../circular-heatmap.component.html | 24 ++ 3 files changed, 203 insertions(+), 150 deletions(-) diff --git a/src/app/component/activity-description/activity-description.component.html b/src/app/component/activity-description/activity-description.component.html index 10b41287a..a4137bc11 100644 --- a/src/app/component/activity-description/activity-description.component.html +++ b/src/app/component/activity-description/activity-description.component.html @@ -1,6 +1,6 @@

- {{ currentActivity.category }} -> {{ currentActivity.dimension }}: + {{ currentActivity.dimension }}: {{ currentActivity.name }}

@@ -46,6 +46,15 @@

+ + + + Assessment + + +

+ + @@ -95,15 +104,6 @@

- - - - Assessment - - -

- - @@ -230,10 +230,11 @@

Implemented

+ - Depends on + Dependencies
diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index eccaec7e2..7b133f3f9 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -1,4 +1,4 @@ -import { Component, OnInit, Input, ElementRef } from '@angular/core'; +import { Component, OnInit, Input, ElementRef, SimpleChanges, OnChanges } from '@angular/core'; import * as d3 from 'd3'; import { LoaderService } from '../../service/loader/data-loader.service'; import { Activity } from 'src/app/model/activity-store'; @@ -7,7 +7,8 @@ import { DataStore } from 'src/app/model/data-store'; export interface graphNodes { id: string; relativeLevel: number; - relativeCount: number; + index: number; + activitycount: number; } export interface graphLinks { @@ -25,7 +26,7 @@ export interface graph { templateUrl: './dependency-graph.component.html', styleUrls: ['./dependency-graph.component.css'], }) -export class DependencyGraphComponent implements OnInit { +export class DependencyGraphComponent implements OnInit, OnChanges { COLOR_OF_LINK: string = 'black'; COLOR_OF_NODE: string = '#66bb6a'; COLOR_OF_PREDECESSOR: string = '#deeedeff'; @@ -43,18 +44,36 @@ export class DependencyGraphComponent implements OnInit { ngOnInit(): void { this.loader.load().then((dataStore: DataStore) => { this.dataStore = dataStore; + console.log('Dep-graph: Setting datastore'); if (!dataStore.activityStore) { throw Error('No activity store loaded'); } - let activity: Activity = dataStore.activityStore.getActivityByName(this.activityName); - if (activity) { - this.graphData = { nodes: [], links: [] }; - this.populateGraphWithActivitiesCurrentActivityDependsOn(activity); - this.populateGraphWithActivitiesThatDependsOnCurrentActivity(activity); + this.populateGraph(this.activityName); + }); + } - this.generateGraph(this.activityName); + ngOnChanges(changes: SimpleChanges): void { + console.log(changes); + if (this.dataStore?.activityStore) { + if (changes?.hasOwnProperty('activityName')) { + this.populateGraph(changes['activityName'].currentValue); } - }); + } + } + + populateGraph(activityName: string): void { + if (this.simulation) { + this.simulation.stop(); + } + this.visited.clear(); + let activity: Activity | undefined = this.dataStore?.activityStore?.getActivityByName(activityName); + if (activity) { + this.graphData = { nodes: [], links: [] }; + this.populateGraphWithActivitiesCurrentActivityDependsOn(activity); + this.populateGraphWithActivitiesThatDependsOnCurrentActivity(activity); + + this.generateGraph(this.activityName); + } } populateGraphWithActivitiesCurrentActivityDependsOn(activity: Activity): void { @@ -68,6 +87,7 @@ export class DependencyGraphComponent implements OnInit { target: activity.name, }); } + this.graphData['nodes'].filter(node => node.relativeLevel == -1).forEach(node => { node.activitycount = i - 1 }); } } @@ -83,48 +103,56 @@ export class DependencyGraphComponent implements OnInit { }); } } + this.graphData['nodes'].filter(node => node.relativeLevel == 1).forEach(node => { + node.activitycount = i -1; + }); } - addNode(activityName: string, relativeLevel: number = 0, relativeCount: number = 0): void { + addNode(activityName: string, relativeLevel: number = 0, index: number = 0): void { if (!this.visited.has(activityName)) { - this.graphData['nodes'].push({ id: activityName, relativeLevel, relativeCount }); + let d: any = { + id: activityName, + relativeLevel, + index, + }; + this.graphData['nodes'].push(d); this.visited.add(activityName); } } + initX(d: any): number { + let col: number = 7; + if (d.activitycount > col && d.activitycount < col * 2) { + col = Math.ceil(d.activitycount / 2); + } + return d.relativeLevel * Math.ceil(d.index / col) * 300; + } + initY(d: any): number { + return d.relativeLevel * 30; + } + generateGraph(activityName: string): void { let svg = d3.select('svg'); + svg.selectAll('*').remove(); // Now that rectWidth is set on each node, set up the simulation + /* eslint-disable */ this.simulation = d3 .forceSimulation() + // .alphaMin(0.11) .force( 'link', - d3 - .forceLink() - .id(function (d: any) { + d3.forceLink().id(function (d: any) { return d.id; - }) - .strength(0.1) + }).strength(0.1) ) - .force( - 'x', - d3 - .forceX((d: any) => { - let col: number = 7; - return d.relativeLevel * Math.ceil(d.relativeCount / col) * 300; - }) - .strength(5) - ) - // .force('y', d3.forceY((d: any) => { - // return d.relativeLevel * 30; - // }).strength(10)) - .force('charge', d3.forceManyBody().strength(-80)) - .force( - 'collide', - d3.forceCollide((d: any) => 30) + .force('x', d3.forceX((d: any) => { return self.initX(d) }).strength(5) ) + // .force('y', d3.forceY( this.initY ).strength(5)) + .force('charge', d3.forceManyBody().strength(-30)) + .force('collide', d3.forceCollide((d: any) => 30)) .force('center', d3.forceCenter(0, 0)); + /* eslint-enable */ svg .append('defs') @@ -142,7 +170,7 @@ export class DependencyGraphComponent implements OnInit { .attr('fill', this.COLOR_OF_LINK) .style('stroke', 'none'); - let link = svg + let links = svg .append('g') .attr('class', 'links') .selectAll('line') @@ -152,15 +180,13 @@ export class DependencyGraphComponent implements OnInit { .style('stroke', this.COLOR_OF_LINK) .attr('marker-end', 'url(#arrowhead)'); - /* eslint-disable */ - let node = svg - .append('g') - .attr('class', 'nodes') - .selectAll('g') - .data(this.graphData['nodes']) - .enter() - .append('g'); - /* eslint-enable */ + let nodes = svg + .append('g') + .attr('class', 'nodes') + .selectAll('g') + .data(this.graphData['nodes']) + .enter() + .append('g'); const rectHeight = 30; const rectRx = 10; @@ -168,7 +194,7 @@ export class DependencyGraphComponent implements OnInit { const padding = 20; // Append text first so we can measure it - node + nodes .append('text') .attr('dy', '0.35em') .attr('text-anchor', 'middle') @@ -178,7 +204,7 @@ export class DependencyGraphComponent implements OnInit { // Now for each node, measure the text and insert a rect behind it const self = this; - node.each(function (this: SVGGElement, d: any) { + nodes.each(function (this: SVGGElement, d: any) { const textElem = d3.select(this).select('text').node() as SVGTextElement; let textWidth = 60; // fallback default if (textElem && textElem.getBBox) { @@ -211,98 +237,100 @@ export class DependencyGraphComponent implements OnInit { this.simulation.force('link').links(this.graphData['links']); function ticked() { - // Improved rectangle edge intersection for arrowhead placement - function rectEdgeIntersection( - sx: number, - sy: number, - tx: number, - ty: number, - rectWidth: number, - rectHeight: number, - offset: number = 0 - ) { - // Rectangle centered at (tx, ty) - const dx = tx - sx; - const dy = ty - sy; - const w = rectWidth / 2; - const h = rectHeight / 2; - // Parametric line: (sx, sy) + t*(dx, dy), t in [0,1] - // Find smallest t in (0,1] where line crosses rectangle edge - let tMin = 1; - // Left/right sides - if (dx !== 0) { - let t1 = (w - (sx - tx)) / dx; - let y1 = sy + t1 * dy; - if (t1 > 0 && Math.abs(y1 - ty) <= h) tMin = Math.min(tMin, t1); - let t2 = (-w - (sx - tx)) / dx; - let y2 = sy + t2 * dy; - if (t2 > 0 && Math.abs(y2 - ty) <= h) tMin = Math.min(tMin, t2); - } - // Top/bottom sides - if (dy !== 0) { - let t3 = (h - (sy - ty)) / dy; - let x3 = sx + t3 * dx; - if (t3 > 0 && Math.abs(x3 - tx) <= w) tMin = Math.min(tMin, t3); - let t4 = (-h - (sy - ty)) / dy; - let x4 = sx + t4 * dx; - if (t4 > 0 && Math.abs(x4 - tx) <= w) tMin = Math.min(tMin, t4); - } - // Clamp tMin to [0,1] - tMin = Math.max(0, Math.min(1, tMin)); - // Move intersection back by 'offset' pixels along the direction from target to source - let px = sx + dx * tMin; - let py = sy + dy * tMin; - if (offset > 0 && (dx !== 0 || dy !== 0)) { - const len = Math.sqrt(dx * dx + dy * dy); - px -= (dx / len) * offset; - py -= (dy / len) * offset; - } - return { x: px, y: py }; - } + if (self.simulation.alpha() < 1.9) { + // Improved rectangle edge intersection for arrowhead placement + links + .attr('x1', function (d: any) { + return d.source.x; + }) + .attr('y1', function (d: any) { + return d.source.y; + }) + .attr('x2', function (d: any) { + // If target has rectWidth, adjust arrow to edge minus offset + if (d.target.rectWidth) { + const pt = self.rectEdgeIntersection( + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 // rectHeight, offset + ); + return pt.x; + } + return d.target.x; + }) + .attr('y2', function (d: any) { + if (d.target.rectWidth) { + const pt = self.rectEdgeIntersection( + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 + ); + return pt.y; + } + return d.target.y; + }); - link - .attr('x1', function (d: any) { - return d.source.x; - }) - .attr('y1', function (d: any) { - return d.source.y; - }) - .attr('x2', function (d: any) { - // If target has rectWidth, adjust arrow to edge minus offset - if (d.target.rectWidth) { - const pt = rectEdgeIntersection( - d.source.x, - d.source.y, - d.target.x, - d.target.y, - d.target.rectWidth, - 30, - 10 // rectHeight, offset - ); - return pt.x; - } - return d.target.x; - }) - .attr('y2', function (d: any) { - if (d.target.rectWidth) { - const pt = rectEdgeIntersection( - d.source.x, - d.source.y, - d.target.x, - d.target.y, - d.target.rectWidth, - 30, - 10 - ); - return pt.y; - } - return d.target.y; + nodes.attr('transform', function (d: any) { + return 'translate(' + d.x + ',' + d.y + ')'; }); + } + } + } - node.attr('transform', function (d: any) { - return 'translate(' + d.x + ',' + d.y + ')'; - }); + rectEdgeIntersection( + sx: number, + sy: number, + tx: number, + ty: number, + rectWidth: number, + rectHeight: number, + offset: number = 0 + ) { + // Rectangle centered at (tx, ty) + const dx = tx - sx; + const dy = ty - sy; + const w = rectWidth / 2; + const h = rectHeight / 2; + // Parametric line: (sx, sy) + t*(dx, dy), t in [0,1] + // Find smallest t in (0,1] where line crosses rectangle edge + let tMin = 1; + // Left/right sides + if (dx !== 0) { + let t1 = (w - (sx - tx)) / dx; + let y1 = sy + t1 * dy; + if (t1 > 0 && Math.abs(y1 - ty) <= h) tMin = Math.min(tMin, t1); + let t2 = (-w - (sx - tx)) / dx; + let y2 = sy + t2 * dy; + if (t2 > 0 && Math.abs(y2 - ty) <= h) tMin = Math.min(tMin, t2); + } + // Top/bottom sides + if (dy !== 0) { + let t3 = (h - (sy - ty)) / dy; + let x3 = sx + t3 * dx; + if (t3 > 0 && Math.abs(x3 - tx) <= w) tMin = Math.min(tMin, t3); + let t4 = (-h - (sy - ty)) / dy; + let x4 = sx + t4 * dx; + if (t4 > 0 && Math.abs(x4 - tx) <= w) tMin = Math.min(tMin, t4); + } + // Clamp tMin to [0,1] + tMin = Math.max(0, Math.min(1, tMin)); + // Move intersection back by 'offset' pixels along the direction from target to source + let px = sx + dx * tMin; + let py = sy + dy * tMin; + if (offset > 0 && (dx !== 0 || dy !== 0)) { + const len = Math.sqrt(dx * dx + dy * dy); + px -= (dx / len) * offset; + py -= (dy / len) * offset; } + return { x: px, y: py }; } /** @@ -329,17 +357,17 @@ export class DependencyGraphComponent implements OnInit { for (i = 0; i < n; ++i) { node = nodes[i]; // Calculate bounding box for node - nx1 = node.x - node.rectWidth / 2; - nx2 = node.x + node.rectWidth / 2; - ny1 = node.y - 15; // rectHeight / 2 - ny2 = node.y + 15; + nx1 = node.x - node.rectWidth / 2 - 10; + nx2 = node.x + node.rectWidth / 2 + 10; + ny1 = node.y - 25; + ny2 = node.y + 25; for (let j = i + 1; j < n; ++j) { other = nodes[j]; // Calculate bounding box for other node ox1 = other.x - other.rectWidth / 2; ox2 = other.x + other.rectWidth / 2; - oy1 = other.y - 15; - oy2 = other.y + 15; + oy1 = other.y - 25; + oy2 = other.y + 25; // Check for overlap between rectangles if (nx1 < ox2 && nx2 > ox1 && ny1 < oy2 && ny2 > oy1) { // Overlap detected, push nodes apart along the direction between them diff --git a/src/app/pages/circular-heatmap/circular-heatmap.component.html b/src/app/pages/circular-heatmap/circular-heatmap.component.html index fdf1ff5c9..c52aa6a6b 100644 --- a/src/app/pages/circular-heatmap/circular-heatmap.component.html +++ b/src/app/pages/circular-heatmap/circular-heatmap.component.html @@ -70,6 +70,18 @@

Nothing to show

+ + + + Assesment + + + +

+ + @@ -87,6 +99,18 @@

Nothing to show

 + + + + + Dependencies + + + + + + + From 1eef470313eec69a7619f89abe2224d5bbce3668 Mon Sep 17 00:00:00 2001 From: "vegard.bakke" Date: Fri, 26 Sep 2025 07:58:24 +0200 Subject: [PATCH 14/23] Linting --- .../dependency-graph.component.ts | 17 ++++++++++++----- .../circular-heatmap.component.html | 3 +-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 7b133f3f9..415b76ed8 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -66,7 +66,8 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.simulation.stop(); } this.visited.clear(); - let activity: Activity | undefined = this.dataStore?.activityStore?.getActivityByName(activityName); + let activity: Activity | undefined = + this.dataStore?.activityStore?.getActivityByName(activityName); if (activity) { this.graphData = { nodes: [], links: [] }; this.populateGraphWithActivitiesCurrentActivityDependsOn(activity); @@ -87,7 +88,11 @@ export class DependencyGraphComponent implements OnInit, OnChanges { target: activity.name, }); } - this.graphData['nodes'].filter(node => node.relativeLevel == -1).forEach(node => { node.activitycount = i - 1 }); + this.graphData['nodes'] + .filter(node => node.relativeLevel == -1) + .forEach(node => { + node.activitycount = i - 1; + }); } } @@ -103,9 +108,11 @@ export class DependencyGraphComponent implements OnInit, OnChanges { }); } } - this.graphData['nodes'].filter(node => node.relativeLevel == 1).forEach(node => { - node.activitycount = i -1; - }); + this.graphData['nodes'] + .filter(node => node.relativeLevel == 1) + .forEach(node => { + node.activitycount = i - 1; + }); } addNode(activityName: string, relativeLevel: number = 0, index: number = 0): void { diff --git a/src/app/pages/circular-heatmap/circular-heatmap.component.html b/src/app/pages/circular-heatmap/circular-heatmap.component.html index c52aa6a6b..8ed4dfacf 100644 --- a/src/app/pages/circular-heatmap/circular-heatmap.component.html +++ b/src/app/pages/circular-heatmap/circular-heatmap.component.html @@ -100,7 +100,7 @@

Nothing to show

 - + Dependencies @@ -110,7 +110,6 @@

Nothing to show

 - From f4d77d97c2192bde8e0c9d0ad87605bacb293aaa Mon Sep 17 00:00:00 2001 From: Vegard Bakke Date: Sat, 27 Sep 2025 20:43:19 +0200 Subject: [PATCH 15/23] Renamed variables --- .../dependency-graph.component.ts | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 415b76ed8..9e10289c8 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -7,8 +7,8 @@ import { DataStore } from 'src/app/model/data-store'; export interface graphNodes { id: string; relativeLevel: number; - index: number; - activitycount: number; + activityIndex: number; + activityCount: number; } export interface graphLinks { @@ -70,6 +70,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.dataStore?.activityStore?.getActivityByName(activityName); if (activity) { this.graphData = { nodes: [], links: [] }; + this.addNode(activity.name); this.populateGraphWithActivitiesCurrentActivityDependsOn(activity); this.populateGraphWithActivitiesThatDependsOnCurrentActivity(activity); @@ -78,7 +79,6 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } populateGraphWithActivitiesCurrentActivityDependsOn(activity: Activity): void { - this.addNode(activity.name); if (activity.dependsOn) { let i: number = 1; for (const prececcor of activity.dependsOn) { @@ -91,7 +91,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.graphData['nodes'] .filter(node => node.relativeLevel == -1) .forEach(node => { - node.activitycount = i - 1; + node.activityCount = i - 1; }); } } @@ -111,16 +111,16 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.graphData['nodes'] .filter(node => node.relativeLevel == 1) .forEach(node => { - node.activitycount = i - 1; + node.activityCount = i - 1; }); } - addNode(activityName: string, relativeLevel: number = 0, index: number = 0): void { + addNode(activityName: string, relativeLevel: number = 0, activityIndex: number = 0): void { if (!this.visited.has(activityName)) { let d: any = { id: activityName, relativeLevel, - index, + activityIndex, }; this.graphData['nodes'].push(d); this.visited.add(activityName); @@ -128,11 +128,11 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } initX(d: any): number { - let col: number = 7; - if (d.activitycount > col && d.activitycount < col * 2) { - col = Math.ceil(d.activitycount / 2); + let col: number = 8; + if (d.activityCount > col && d.activityCount < col * 2) { + col = Math.ceil(d.activityCount / 2); } - return d.relativeLevel * Math.ceil(d.index / col) * 300; + return d.relativeLevel * Math.ceil(d.activityIndex / col) * 300; } initY(d: any): number { return d.relativeLevel * 30; From 8b75cef2148d6501f12d6835ab4091092037eddc Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sat, 27 Sep 2025 23:16:55 +0200 Subject: [PATCH 16/23] Remove unused variable --- src/main.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main.ts b/src/main.ts index 06e9421aa..345453bdf 100644 --- a/src/main.ts +++ b/src/main.ts @@ -9,7 +9,6 @@ import { platformBrowserDynamic } from '@angular/platform-browser-dynamic'; import { AppModule } from './app/app.module'; import { environment } from './environments/environment'; -const localDevelopment: boolean = window.location.hostname == 'localhost'; if (environment.production) { enableProdMode(); } From f4e232c8b914810b54ec957f55917ce7a5af741f Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 09:17:00 +0200 Subject: [PATCH 17/23] Removed experimental code --- src/app/app.component.ts | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/src/app/app.component.ts b/src/app/app.component.ts index c48756c4d..54a5b5998 100644 --- a/src/app/app.component.ts +++ b/src/app/app.component.ts @@ -1,6 +1,5 @@ import { Component, OnInit } from '@angular/core'; import { ThemeService } from './service/theme.service'; -import { environment } from '../environments/environment'; @Component({ selector: 'app-root', @@ -23,18 +22,6 @@ export class AppComponent implements OnInit { this.menuIsOpen = false; }, 600); } - - if (environment?.production === false) { - fetch( - 'https://api.github.com/repos/devsecopsmaturitymodel/DevSecOps-MaturityModel/branches/v4' - ).then(async response => { - let gitinfo: any = await response.json(); - let commitDate: string = gitinfo?.commit?.commit?.author?.date; - if (commitDate) { - this.subtitle = `Released: ${commitDate?.replace('T', ' ')}`; - } - }); - } } toggleMenu(): void { From 5e617bae2eb533e05c4f881f64104da2196f09fc Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 14:52:10 +0200 Subject: [PATCH 18/23] Updated url links --- INSTALL.md | 4 ++-- README.md | 4 ++-- src/assets/Markdown Files/README.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index cd54725fe..cb13207db 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -101,7 +101,7 @@ syntax can be used. The evidence is currently visible on the activity from the M # Back link -- [OWASP DevSecOps maturity model page](https://dsomm.timo-pagel.de/) +- [OWASP DevSecOps maturity model page](https://dsomm.owasp.org/) - [OWASP DevSecOps project page](https://owasp.org/www-project-devsecops-maturity-model/) - [OWASP](https://owasp.org) @@ -135,7 +135,7 @@ This program is free software: you can redistribute it and/or modify it under th The intellectual property (content in the _data_ folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content: -> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.timo-pagel.de). +> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.owasp.org/). The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2025. diff --git a/README.md b/README.md index 3fbf5dd88..e361e2a96 100644 --- a/README.md +++ b/README.md @@ -161,7 +161,7 @@ syntax can be used. The evidence is currently visible on the activity from the M # Back link -- [OWASP DevSecOps maturity model page](https://dsomm.timo-pagel.de/) +- [OWASP DevSecOps maturity model page](https://dsomm.owasp.org/) - [OWASP DevSecOps project page](https://owasp.org/www-project-devsecops-maturity-model/) - [OWASP](https://owasp.org) @@ -195,6 +195,6 @@ This program is free software: you can redistribute it and/or modify it under th The intellectual property (content in the _data_ folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content: -> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.timo-pagel.de). +> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.owasp.org/). The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2022. diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md index dae0484c9..23a2b3ca0 100644 --- a/src/assets/Markdown Files/README.md +++ b/src/assets/Markdown Files/README.md @@ -144,7 +144,7 @@ syntax can be used. The evidence is currently visible on the activity from the M # Back link -- [OWASP DevSecOps maturity model page](https://dsomm.timo-pagel.de/) +- [OWASP DevSecOps maturity model page](https://dsomm.owasp.org/) - [OWASP DevSecOps project page](https://owasp.org/www-project-devsecops-maturity-model/) - [OWASP](https://owasp.org) @@ -178,6 +178,6 @@ This program is free software: you can redistribute it and/or modify it under th The intellectual property (content in the _data_ folder) is licensed under Attribution-ShareAlike. An example attribution by changing the content: -> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.timo-pagel.de). +> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.owasp.org/). The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2022. From e8d7bb2d38905bfe04ee28ba803d73656f247e19 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 18:53:12 +0200 Subject: [PATCH 19/23] Dependency: Support dark mode --- .../activity-description.component.html | 22 +-- .../dependency-graph.component.ts | 147 +++++++++++------- src/assets/Markdown Files/TODO-v4.md | 17 +- src/custom-theme.scss | 13 +- 4 files changed, 123 insertions(+), 76 deletions(-) diff --git a/src/app/component/activity-description/activity-description.component.html b/src/app/component/activity-description/activity-description.component.html index a4137bc11..fae104d05 100644 --- a/src/app/component/activity-description/activity-description.component.html +++ b/src/app/component/activity-description/activity-description.component.html @@ -55,6 +55,17 @@

+ + + + Dependencies + + +
+ +
+ + @@ -231,17 +242,6 @@

- - - - Dependencies - - -
- -
- - diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 9e10289c8..5c458c755 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -3,6 +3,7 @@ import * as d3 from 'd3'; import { LoaderService } from '../../service/loader/data-loader.service'; import { Activity } from 'src/app/model/activity-store'; import { DataStore } from 'src/app/model/data-store'; +import { ThemeService } from 'src/app/service/theme.service'; export interface graphNodes { id: string; @@ -21,17 +22,24 @@ export interface graph { links: graphLinks[]; } +interface ThemeColors { + linkColor: string; + borderColor: string; + mainNodeColor: string; + mainNodeFill: string; + predecessorFill: string; + successorFill: string; +} + @Component({ selector: 'app-dependency-graph', templateUrl: './dependency-graph.component.html', styleUrls: ['./dependency-graph.component.css'], }) export class DependencyGraphComponent implements OnInit, OnChanges { - COLOR_OF_LINK: string = 'black'; - COLOR_OF_NODE: string = '#66bb6a'; - COLOR_OF_PREDECESSOR: string = '#deeedeff'; - COLOR_OF_SUCCESSOR: string = '#fdfdfdff'; - BORDER_COLOR_OF_NODE: string = 'black'; + css: CSSStyleDeclaration = getComputedStyle(document.body); + themeColors: Partial = {}; + theme: string; simulation: any; dataStore: Partial = {}; graphData: graph = { nodes: [], links: [] }; @@ -39,7 +47,10 @@ export class DependencyGraphComponent implements OnInit, OnChanges { @Input() activityName: string = ''; - constructor(private loader: LoaderService) {} + constructor(private loader: LoaderService, private themeService: ThemeService) { + this.theme = this.themeService.getTheme(); + this.setThemeColors(this.theme); + } ngOnInit(): void { this.loader.load().then((dataStore: DataStore) => { @@ -50,6 +61,11 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } this.populateGraph(this.activityName); }); + + // Reactively handle theme changes (if user toggles later) + this.themeService.theme$.subscribe((theme: string) => { + this.setThemeColors(theme); + }); } ngOnChanges(changes: SimpleChanges): void { @@ -61,6 +77,19 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } } + setThemeColors(theme: string) { + /* eslint-disable */ + this.themeColors.mainNodeFill = this.css.getPropertyValue('--heatmap-filled').trim(); + this.themeColors.mainNodeColor = this.css.getPropertyValue('--text-primary').trim(); + this.themeColors.linkColor = this.css.getPropertyValue('--dependency-link').trim(); + this.themeColors.borderColor = this.css.getPropertyValue('--dependency-border').trim(); + this.themeColors.predecessorFill = this.css.getPropertyValue('--dependency-predecessor-fill').trim(); + this.themeColors.successorFill = this.css.getPropertyValue('--dependency-successor-fill').trim(); + /*eslint-enable */ + + this.generateGraph(); + } + populateGraph(activityName: string): void { if (this.simulation) { this.simulation.stop(); @@ -74,7 +103,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.populateGraphWithActivitiesCurrentActivityDependsOn(activity); this.populateGraphWithActivitiesThatDependsOnCurrentActivity(activity); - this.generateGraph(this.activityName); + this.generateGraph(); } } @@ -138,7 +167,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { return d.relativeLevel * 30; } - generateGraph(activityName: string): void { + generateGraph(): void { let svg = d3.select('svg'); svg.selectAll('*').remove(); @@ -174,7 +203,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { .attr('overflow', 'visible') .append('svg:path') .attr('d', 'M 0,-5 L 10 ,0 L 0,5') - .attr('fill', this.COLOR_OF_LINK) + .attr('fill', this.themeColors.linkColor || 'black') .style('stroke', 'none'); let links = svg @@ -184,7 +213,7 @@ export class DependencyGraphComponent implements OnInit, OnChanges { .data(this.graphData['links']) .enter() .append('line') - .style('stroke', this.COLOR_OF_LINK) + .style('stroke', this.themeColors.linkColor || 'black') .attr('marker-end', 'url(#arrowhead)'); let nodes = svg @@ -229,10 +258,12 @@ export class DependencyGraphComponent implements OnInit, OnChanges { .attr('rx', rectRx) .attr('ry', rectRy) .attr('fill', (d: any) => { - if (d.relativeLevel == 0) return self.COLOR_OF_NODE; - return d.relativeLevel < 0 ? self.COLOR_OF_PREDECESSOR : self.COLOR_OF_SUCCESSOR; + if (d.relativeLevel == 0) return self.themeColors.mainNodeFill || 'green'; + let col: string | undefined = + d.relativeLevel < 0 ? self.themeColors.predecessorFill : self.themeColors.successorFill; + return col || 'white'; }) - .attr('stroke', self.BORDER_COLOR_OF_NODE) + .attr('stroke', self.themeColors.borderColor || 'black') .attr('stroke-width', 1.5); }); @@ -244,51 +275,49 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.simulation.force('link').links(this.graphData['links']); function ticked() { - if (self.simulation.alpha() < 1.9) { - // Improved rectangle edge intersection for arrowhead placement - links - .attr('x1', function (d: any) { - return d.source.x; - }) - .attr('y1', function (d: any) { - return d.source.y; - }) - .attr('x2', function (d: any) { - // If target has rectWidth, adjust arrow to edge minus offset - if (d.target.rectWidth) { - const pt = self.rectEdgeIntersection( - d.source.x, - d.source.y, - d.target.x, - d.target.y, - d.target.rectWidth, - 30, - 10 // rectHeight, offset - ); - return pt.x; - } - return d.target.x; - }) - .attr('y2', function (d: any) { - if (d.target.rectWidth) { - const pt = self.rectEdgeIntersection( - d.source.x, - d.source.y, - d.target.x, - d.target.y, - d.target.rectWidth, - 30, - 10 - ); - return pt.y; - } - return d.target.y; - }); - - nodes.attr('transform', function (d: any) { - return 'translate(' + d.x + ',' + d.y + ')'; + // Improved rectangle edge intersection for arrowhead placement + links + .attr('x1', function (d: any) { + return d.source.x; + }) + .attr('y1', function (d: any) { + return d.source.y; + }) + .attr('x2', function (d: any) { + // If target has rectWidth, adjust arrow to edge minus offset + if (d.target.rectWidth) { + const pt = self.rectEdgeIntersection( + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 // rectHeight, offset + ); + return pt.x; + } + return d.target.x; + }) + .attr('y2', function (d: any) { + if (d.target.rectWidth) { + const pt = self.rectEdgeIntersection( + d.source.x, + d.source.y, + d.target.x, + d.target.y, + d.target.rectWidth, + 30, + 10 + ); + return pt.y; + } + return d.target.y; }); - } + + nodes.attr('transform', function (d: any) { + return 'translate(' + d.x + ',' + d.y + ')'; + }); } } @@ -364,8 +393,8 @@ export class DependencyGraphComponent implements OnInit, OnChanges { for (i = 0; i < n; ++i) { node = nodes[i]; // Calculate bounding box for node - nx1 = node.x - node.rectWidth / 2 - 10; - nx2 = node.x + node.rectWidth / 2 + 10; + nx1 = node.x - node.rectWidth / 2 - 25; + nx2 = node.x + node.rectWidth / 2 + 25; ny1 = node.y - 25; ny2 = node.y + 25; for (let j = i + 1; j < n; ++j) { diff --git a/src/assets/Markdown Files/TODO-v4.md b/src/assets/Markdown Files/TODO-v4.md index b9a0301dc..33929a9d7 100644 --- a/src/assets/Markdown Files/TODO-v4.md +++ b/src/assets/Markdown Files/TODO-v4.md @@ -1,13 +1,17 @@ ## Doing +### Dependency graph + +- Heatmap: Handle dependsOn uuid (example) + - http://localhost:4200/activity-description?uuid=13e9757e-58e2-4277-bc0f-eadc674891e6 + +- Dependency graph: Make connecting nodes clickable +- Heatmap: Add #uuid to URL + +## Next - Teams: Bug: Reads progress heading from activityStore, not metaStore - Team KPI: One KPI per ProgressDefinition - KPI: Add Sub-title -## Next -### Dependency graph -- Dependency graph: Add to CircularHeatmap Details -- Matrix: Dependency graph: Render in center of page - ## ToDo - Heatmap: Fix: asterisk marks when modified - ViewController needs to know about changes vs temp storage @@ -70,6 +74,9 @@ - Meta.yaml: Allow admins to customize the terms 'Team' and 'Group' (e.g. to 'App' and 'Portfolio') # Done +- Matrix: Dependency graph: Render in center of page +- Dependency graph: Add to CircularHeatmap Details +- Dependency graph: Support dark mode - Merge in Dark Mode [PR #381](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/pull/381) - Linting - Using Angular's built-in DomSanitizer to check [innerHTML] diff --git a/src/custom-theme.scss b/src/custom-theme.scss index 72e9fb569..887e4cf74 100644 --- a/src/custom-theme.scss +++ b/src/custom-theme.scss @@ -100,6 +100,12 @@ body { --heatmap-cursor-hover: #1c8b1c; --heatmap-cursor-selected:#3d3d3d; + --dependency-link: #707070; + --dependency-border: #222222; + --dependency-mainnode-fill: #4caf50; + --dependency-predecessor-fill: #deeedeff; + --dependency-successor-fill: #fdfdfdff; + @include mat.all-component-themes($DSOMM-light-theme); } @@ -123,7 +129,12 @@ body.dark-theme { --heatmap-stroke: #000000; --heatmap-cursor-hover: #145e14; --heatmap-cursor-selected: #232323; - + + --dependency-link: #bbbbbb; + --dependency-border: #0e1b0e; + --dependency-mainnode-fill: rgb(107, 190, 107); + --dependency-predecessor-fill: rgb(172, 206, 172); + --dependency-successor-fill: rgb(192, 192, 192); .title-button, h1, h2, h3, h4, h5, h6 { From a416f317e7baba513d3a81f5844f3f2d9d59b2d9 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 19:17:30 +0200 Subject: [PATCH 20/23] Dependency: Swap uuids with activity names --- src/app/model/activity-store.spec.ts | 1 + src/app/model/activity-store.ts | 21 ++++++++++++++++++++- src/assets/Markdown Files/TODO-v4.md | 4 +--- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/app/model/activity-store.spec.ts b/src/app/model/activity-store.spec.ts index ea6e5021e..622434f7b 100644 --- a/src/app/model/activity-store.spec.ts +++ b/src/app/model/activity-store.spec.ts @@ -139,6 +139,7 @@ const baseYaml: any = { uuid: '00000000-1111-1111-2222-000000000000', level: 1, description: 'Description from base yaml', + dependsOn: ['Activity 111', '00000000-1111-2222-1111-000000000000'], }, }, 'Dimension 12': { diff --git a/src/app/model/activity-store.ts b/src/app/model/activity-store.ts index ec932e491..7e7b6d0fd 100644 --- a/src/app/model/activity-store.ts +++ b/src/app/model/activity-store.ts @@ -1,6 +1,5 @@ import { appendHashElement } from '../util/ArrayHash'; import { IgnoreList } from './ignore-list'; -import { Progress } from './types'; import { MarkdownText } from './markdown-text'; export type Data = Record; @@ -55,6 +54,8 @@ export interface DifficultyOfImplementation { resources: number; } +const UUID = /([0-9a-f]{6,}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{6,})/i; + export class ActivityStore { public data: Data = {}; private _activityList: Activity[] = []; @@ -122,6 +123,7 @@ export class ActivityStore { this._activityByName = {}; this._activityByUuid = {}; this.buildLookups(this._activityList, this._activityByName, this._activityByUuid, errors); + this.replaceDependsOnUUids(this._activityList, this._activityByUuid); } this.buildDataHierarchy(this._activityList); this.buildDimensionList(this._activityList); @@ -246,6 +248,23 @@ export class ActivityStore { } } + /** + * Substitute dependsOn UUIDs with activity names + */ + replaceDependsOnUUids(activityList: Activity[], activityByUuid: Record) { + for (let activity of activityList) { + if (activity.dependsOn && activity.dependsOn.length > 0) { + for (let i = 0; i < activity.dependsOn.length; i++) { + if (activity.dependsOn[i].match(UUID)) { + if (activityByUuid.hasOwnProperty(activity.dependsOn[i])) { + activity.dependsOn[i] = activityByUuid[activity.dependsOn[i]].name; + } + } + } + } + } + } + addActivityLookup( activity: Activity, activityByName: Record, diff --git a/src/assets/Markdown Files/TODO-v4.md b/src/assets/Markdown Files/TODO-v4.md index 33929a9d7..62e159cd7 100644 --- a/src/assets/Markdown Files/TODO-v4.md +++ b/src/assets/Markdown Files/TODO-v4.md @@ -1,9 +1,6 @@ ## Doing ### Dependency graph -- Heatmap: Handle dependsOn uuid (example) - - http://localhost:4200/activity-description?uuid=13e9757e-58e2-4277-bc0f-eadc674891e6 - - Dependency graph: Make connecting nodes clickable - Heatmap: Add #uuid to URL @@ -74,6 +71,7 @@ - Meta.yaml: Allow admins to customize the terms 'Team' and 'Group' (e.g. to 'App' and 'Portfolio') # Done +- Dependency: Handle dependsOn uuid, not just name - Matrix: Dependency graph: Render in center of page - Dependency graph: Add to CircularHeatmap Details - Dependency graph: Support dark mode From cd6b6b67af6bf9005de71083ea7a4d0150f3a4fd Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 23:28:08 +0200 Subject: [PATCH 21/23] Dependency: Added unit test for substituting dependsOn uuid --- src/app/model/activity-store.spec.ts | 2 ++ src/app/model/activity-store.ts | 3 ++- src/app/service/loader/data-loader.service.ts | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/app/model/activity-store.spec.ts b/src/app/model/activity-store.spec.ts index 622434f7b..cc07da0bd 100644 --- a/src/app/model/activity-store.spec.ts +++ b/src/app/model/activity-store.spec.ts @@ -35,6 +35,8 @@ describe('ActivityStore', () => { expect(store.getActivityByUuid('00000000-1111-1111-1111-000000000000')?.name).toBe('Activity 111'); expect(store.getActivityByName('Activity 111')?.level).toBe(1); expect(store.getActivityByName('Activity 121')?.uuid).toBe('00000000-1111-2222-1111-000000000000'); + expect(store.getActivityByName('Activity 112')?.dependsOn).toContain('Activity 111'); + expect(store.getActivityByName('Activity 112')?.dependsOn).toContain('Activity 121'); // Substituted uuid expect(store.getActivities('Dimension 11', 1)).toHaveSize(2); expect(store.getActivities('Dimension 11', 1)?.map(a => a.name)).toContain('Activity 112'); }); diff --git a/src/app/model/activity-store.ts b/src/app/model/activity-store.ts index 7e7b6d0fd..c439f7d09 100644 --- a/src/app/model/activity-store.ts +++ b/src/app/model/activity-store.ts @@ -123,8 +123,8 @@ export class ActivityStore { this._activityByName = {}; this._activityByUuid = {}; this.buildLookups(this._activityList, this._activityByName, this._activityByUuid, errors); - this.replaceDependsOnUUids(this._activityList, this._activityByUuid); } + this.replaceDependsOnUUids(this._activityList, this._activityByUuid); this.buildDataHierarchy(this._activityList); this.buildDimensionList(this._activityList); } @@ -257,6 +257,7 @@ export class ActivityStore { for (let i = 0; i < activity.dependsOn.length; i++) { if (activity.dependsOn[i].match(UUID)) { if (activityByUuid.hasOwnProperty(activity.dependsOn[i])) { + console.log(`Replaces ${activity.dependsOn[i]} with ${activityByUuid[activity.dependsOn[i]].name}`); activity.dependsOn[i] = activityByUuid[activity.dependsOn[i]].name; } } diff --git a/src/app/service/loader/data-loader.service.ts b/src/app/service/loader/data-loader.service.ts index 5b5f2d8d9..c36ff10fd 100644 --- a/src/app/service/loader/data-loader.service.ts +++ b/src/app/service/loader/data-loader.service.ts @@ -20,6 +20,10 @@ export class LoaderService { constructor(private yamlService: YamlService) {} + get datastore(): DataStore | null { + return this.dataStore; + } + public async load(): Promise { // Return cached data if available if (this.dataStore) { From f0447d06d6c5d39e53ac1fdd88380a6cfb935adc Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Sun, 28 Sep 2025 23:42:27 +0200 Subject: [PATCH 22/23] Dependency: Make node clickable, for navigation --- .../activity-description.component.html | 5 ++- .../activity-description.component.spec.ts | 18 ++++---- .../activity-description.component.ts | 45 ++++++++++++++----- .../dependency-graph.component.ts | 45 ++++++++++++------- src/app/model/activity-store.ts | 1 - 5 files changed, 77 insertions(+), 37 deletions(-) diff --git a/src/app/component/activity-description/activity-description.component.html b/src/app/component/activity-description/activity-description.component.html index fae104d05..6aaffce4a 100644 --- a/src/app/component/activity-description/activity-description.component.html +++ b/src/app/component/activity-description/activity-description.component.html @@ -62,7 +62,10 @@

- + +
diff --git a/src/app/component/activity-description/activity-description.component.spec.ts b/src/app/component/activity-description/activity-description.component.spec.ts index 14d18d048..b6860cb2f 100644 --- a/src/app/component/activity-description/activity-description.component.spec.ts +++ b/src/app/component/activity-description/activity-description.component.spec.ts @@ -2,6 +2,7 @@ import { HttpClient, HttpHandler } from '@angular/common/http'; import { ComponentFixture, TestBed } from '@angular/core/testing'; import { RouterTestingModule } from '@angular/router/testing'; import { ActivatedRoute } from '@angular/router'; +import { of } from 'rxjs'; import { ActivityDescriptionComponent } from './activity-description.component'; import { LoaderService } from 'src/app/service/loader/data-loader.service'; @@ -12,13 +13,11 @@ import { isEmptyObj } from 'src/app/util/util'; let mockLoaderService: MockLoaderService; let mockActivatedRoute = { - snapshot: { - queryParams: { uuid: '00000000-1111-1111-1111-0000000000000' }, - }, + queryParams: of({ uuid: '00000000-1111-1111-1111-0000000000000' }), }; let mockData = { 'Dim 1': { - 'SubDim 1.1': { + 'SubDim-1.1': { 'Activity 111': { uuid: '00000000-1111-1111-1111-0000000000000', level: 1, @@ -77,19 +76,19 @@ describe('ActivityDescriptionComponent', () => { expect(isEmptyObj(component.currentActivity)).toBeFalsy(); }); - it('check if header is being generated', () => { - const testDimension = 'Dim 1'; - const testSubDimension = 'SubDim 1.1'; + it('check if header is being generated', async () => { + const testSubDimension = 'SubDim-1.1'; + await fixture.whenStable(); fixture.detectChanges(); + const HTMLElement: HTMLElement = fixture.nativeElement; const heading = HTMLElement.querySelector('h1')!; - expect(heading?.textContent).toContain(testDimension); expect(heading?.textContent).toContain(testSubDimension); }); - it('check if content is displayed', () => { + it('check if content is displayed', async () => { // console.log(`${perfNow()}: ActivityDescription: "check if content is displayed"`); const testUUID = '00000000-1111-1111-1111-0000000000000'; const testDesc = 'Description 111'; @@ -99,6 +98,7 @@ describe('ActivityDescriptionComponent', () => { const testComments = 'Comments 111'; const testImplementationGuide = 'Implementation Guide 111'; + await fixture.whenStable(); fixture.detectChanges(); const HTMLElement: HTMLElement = fixture.nativeElement; diff --git a/src/app/component/activity-description/activity-description.component.ts b/src/app/component/activity-description/activity-description.component.ts index c0580ac90..ce36c356e 100644 --- a/src/app/component/activity-description/activity-description.component.ts +++ b/src/app/component/activity-description/activity-description.component.ts @@ -1,8 +1,8 @@ import { Component, ViewChildren, QueryList, OnInit } from '@angular/core'; import { MatAccordion } from '@angular/material/expansion'; -import { ActivatedRoute } from '@angular/router'; +import { ActivatedRoute, Router } from '@angular/router'; import { LoaderService } from '../../service/loader/data-loader.service'; -import { Activity } from '../../model/activity-store'; +import { Activity, ActivityStore } from '../../model/activity-store'; import { DataStore } from 'src/app/model/data-store'; @Component({ @@ -23,20 +23,29 @@ export class ActivityDescriptionComponent implements OnInit { openCREVersion: string = 'OpenCRE'; @ViewChildren(MatAccordion) accordion!: QueryList; - constructor(private route: ActivatedRoute, private loader: LoaderService) {} + constructor( + private route: ActivatedRoute, + private loader: LoaderService, + private router: Router + ) {} ngOnInit() { - let uuid: string = this.route.snapshot.queryParams['uuid']; - let name: string = this.route.snapshot.queryParams['name']; + this.route.queryParams.subscribe(params => { + const uuid: string = params['uuid']; + const name: string = params['name']; + this.loadActivity(uuid, name); + }); + } - // Load data + loadActivity(uuid?: string, name?: string) { this.loader .load() .then((dataStore: DataStore) => { - // Find the activity with matching UUID (or potentially name) - if (!dataStore.activityStore) throw Error('TODO: Must handle these'); - - let activity: Activity = dataStore.activityStore.getActivity(uuid, name); + if (!dataStore.activityStore) throw Error('DateStore not loaded'); + // Ensure uuid and name are strings (fallback to empty string if undefined) + const uuidStr = uuid ?? ''; + const nameStr = name ?? ''; + let activity: Activity = dataStore.activityStore.getActivity(uuidStr, nameStr); if (!activity) { throw new Error('Activity not found'); } @@ -59,6 +68,22 @@ export class ActivityDescriptionComponent implements OnInit { }); } + onActivityClicked(activityName: string) { + // Find the activity by name and update the view without reloading the page + const activityStore: ActivityStore = this.loader.datastore?.activityStore as ActivityStore; + const activity: Activity = activityStore?.getActivityByName(activityName) as Activity; + + if (activity) { + // Update the URL query params (SPA style) + this.router.navigate([], { + relativeTo: this.route, + queryParams: { uuid: activity.uuid }, + queryParamsHandling: 'merge', + }); + this.loadActivity(activity.uuid, activity.name); + } + } + // Expand all function openAll(): void { this.accordion.forEach(element => { diff --git a/src/app/component/dependency-graph/dependency-graph.component.ts b/src/app/component/dependency-graph/dependency-graph.component.ts index 5c458c755..892ff6b14 100644 --- a/src/app/component/dependency-graph/dependency-graph.component.ts +++ b/src/app/component/dependency-graph/dependency-graph.component.ts @@ -5,6 +5,8 @@ import { Activity } from 'src/app/model/activity-store'; import { DataStore } from 'src/app/model/data-store'; import { ThemeService } from 'src/app/service/theme.service'; +import { Output, EventEmitter } from '@angular/core'; + export interface graphNodes { id: string; relativeLevel: number; @@ -47,6 +49,8 @@ export class DependencyGraphComponent implements OnInit, OnChanges { @Input() activityName: string = ''; + @Output() activityClicked = new EventEmitter(); + constructor(private loader: LoaderService, private themeService: ThemeService) { this.theme = this.themeService.getTheme(); this.setThemeColors(this.theme); @@ -55,7 +59,6 @@ export class DependencyGraphComponent implements OnInit, OnChanges { ngOnInit(): void { this.loader.load().then((dataStore: DataStore) => { this.dataStore = dataStore; - console.log('Dep-graph: Setting datastore'); if (!dataStore.activityStore) { throw Error('No activity store loaded'); } @@ -69,7 +72,6 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } ngOnChanges(changes: SimpleChanges): void { - console.log(changes); if (this.dataStore?.activityStore) { if (changes?.hasOwnProperty('activityName')) { this.populateGraph(changes['activityName'].currentValue); @@ -157,11 +159,12 @@ export class DependencyGraphComponent implements OnInit, OnChanges { } initX(d: any): number { - let col: number = 8; - if (d.activityCount > col && d.activityCount < col * 2) { - col = Math.ceil(d.activityCount / 2); + let colSize: number = 8; + if (d.activityCount > colSize && d.activityCount <= colSize * 2.5) { + let colCount: number = Math.ceil(d.activityCount / colSize); + colSize = Math.ceil(d.activityCount / colCount); } - return d.relativeLevel * Math.ceil(d.activityIndex / col) * 300; + return d.relativeLevel * Math.ceil(d.activityIndex / colSize) * 300; } initY(d: any): number { return d.relativeLevel * 30; @@ -176,15 +179,8 @@ export class DependencyGraphComponent implements OnInit, OnChanges { this.simulation = d3 .forceSimulation() // .alphaMin(0.11) - .force( - 'link', - d3.forceLink().id(function (d: any) { - return d.id; - }).strength(0.1) - ) - .force('x', d3.forceX((d: any) => { return self.initX(d) }).strength(5) - ) - // .force('y', d3.forceY( this.initY ).strength(5)) + .force('link', d3.forceLink().id((d: any) => { return d.id; }).strength(0.1)) + .force('x', d3.forceX((d: any) => { return self.initX(d) }).strength(5)) .force('charge', d3.forceManyBody().strength(-30)) .force('collide', d3.forceCollide((d: any) => 30)) .force('center', d3.forceCenter(0, 0)); @@ -222,7 +218,24 @@ export class DependencyGraphComponent implements OnInit, OnChanges { .selectAll('g') .data(this.graphData['nodes']) .enter() - .append('g'); + .append('g') + .on('click', (event: MouseEvent, d: any) => { + if (d.relativeLevel != 0) { + this.activityClicked.emit(d.id); + } + }) + .on('mouseover', (event: MouseEvent, d: any) => { + if (this.activityClicked.observed) { + if (d.relativeLevel != 0) { + d3.select(event.currentTarget as Element).style('cursor', 'pointer'); + } else { + d3.select(event.currentTarget as Element).style('cursor', 'default'); + } + } + }) + .on('mouseout', (event: MouseEvent, d: any) => { + d3.select(event.currentTarget as Element).style('cursor', 'default'); + }); const rectHeight = 30; const rectRx = 10; diff --git a/src/app/model/activity-store.ts b/src/app/model/activity-store.ts index c439f7d09..163815e32 100644 --- a/src/app/model/activity-store.ts +++ b/src/app/model/activity-store.ts @@ -257,7 +257,6 @@ export class ActivityStore { for (let i = 0; i < activity.dependsOn.length; i++) { if (activity.dependsOn[i].match(UUID)) { if (activityByUuid.hasOwnProperty(activity.dependsOn[i])) { - console.log(`Replaces ${activity.dependsOn[i]} with ${activityByUuid[activity.dependsOn[i]].name}`); activity.dependsOn[i] = activityByUuid[activity.dependsOn[i]].name; } } From c4b8d662b736f743f7ef5ecfdba803355024ce79 Mon Sep 17 00:00:00 2001 From: "EMEAAD\\vbakke" Date: Mon, 29 Sep 2025 22:32:40 +0200 Subject: [PATCH 23/23] Updated roadmap --- src/assets/Markdown Files/TODO-v4.md | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/src/assets/Markdown Files/TODO-v4.md b/src/assets/Markdown Files/TODO-v4.md index 62e159cd7..6f047e8f7 100644 --- a/src/assets/Markdown Files/TODO-v4.md +++ b/src/assets/Markdown Files/TODO-v4.md @@ -1,25 +1,18 @@ ## Doing -### Dependency graph - -- Dependency graph: Make connecting nodes clickable -- Heatmap: Add #uuid to URL ## Next -- Teams: Bug: Reads progress heading from activityStore, not metaStore -- Team KPI: One KPI per ProgressDefinition -- KPI: Add Sub-title - -## ToDo -- Heatmap: Fix: asterisk marks when modified - - ViewController needs to know about changes vs temp storage -- Heatmap: Bug: Clicking on grey sector leaves cursor on that sector ### Settings - Settings: Make settings page - Settings: Date format (don't rely just on browser language) -- Settings: Display mode dark/light - Settings: Progress Definition: Make customizable stage: Name, Percentage, Definition (free text) - Settings: Set Max maturity level (1-5) - Settings: Terms: Allow custom names for: team, group, etc + +## ToDo +### KPI +- Teams: Bug: Reads progress heading from activityStore, not metaStore +- Team KPI: One KPI per ProgressDefinition +- KPI: Add Sub-title ### Matrix - Matrix: Add a Close/Back button ### Teams @@ -27,12 +20,17 @@ - Teams: Bug: Editing name, pushes the item last - Teams: Allow editing dates for progress stages ### Heatmap: +- Heatmap: Add #uuid to URL, and allow navigation on clicks in dependencies +- Heatmap: Fix: asterisk marks when modified + - ViewController needs to know about changes vs temp storage +- Heatmap: Bug: Clicking on grey sector leaves cursor on that sector - Heatmap: Bug: Selecting a team group does not always get deselected when flipping teams - Heatmap: meta-yaml: If progress definition is missing, default to 0% + 100% - Heatmap: Revert to boolean checkboxes, if definition is only 0% and 100% - Heatmap: Read previous local storage for backwards compatibility - Heatmap: Input Teams' evidence -- Heatmap: Increase subdimension to be two lines (and increase size) +- Heatmap: Outer rim: Increase subdimension to be two lines (and increase size) +- Heatmap: Outer rim: Make hover display Dimension (over subdimension) ### Documentation - Doc: Update `Usage` - Doc: Update `README.md` @@ -71,6 +69,7 @@ - Meta.yaml: Allow admins to customize the terms 'Team' and 'Group' (e.g. to 'App' and 'Portfolio') # Done +- Dependency: Make connecting nodes clickable for navigation - Dependency: Handle dependsOn uuid, not just name - Matrix: Dependency graph: Render in center of page - Dependency graph: Add to CircularHeatmap Details