current status

wurstbrot · wurstbrot · commit 8e4ee9c8d1bf · 2024-08-07T17:21:29.000+02:00
diff --git a/src/assets/YAML/default/CultureAndOrganization/Process.yaml b/src/assets/YAML/default/CultureAndOrganization/Process.yaml
@@ -80,6 +80,42 @@ Culture and Organization:
           - 17.1.1
         iso27001-2022:
           - 5.29
-      isImplemented: false
-      evidence: ""
-      comments: ""
+    Determining the protection requirement:
+      uuid: 123e4567-e89b-12d3-a456-426614174000
+      risk: |-
+        Not defining the protection requirement of applications can lead to wrong prioritization, delayed remediation of 
+        critical security issues, increasing the risk of exploitation and potential damage to the organization.
+      measure: |-
+        Defining the SLA to respond to findings depending on protection requirement and the corresponding handling of vulnerabilities per severity for components like applications are aligned to SLAs. 
+         This is performed for the hole organization and doesn't need to be broken down (yet) on team/product/application. 
+         At least quarterly.
+      description: |-
+        The protection requirements for an application should consider:
+        - Data criticality
+        - Application accessibility (internal vs. external)
+        - Regulatory compliance
+        - Other relevant factors
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 2
+      dependsOn: []
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/business-friendly-vulnerability-metrics
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
+      references:
+        samm2:
+          - I-DM-3-B
+        iso27001-2022:
+          - 5.25
+          - 5.12
+          - 5.13
+          - 5.10
+      tags:
+        - vulnerability-mgmt
+        - metrics
+        - vmm-measurements
diff --git a/src/assets/YAML/default/InformationGathering/TestKPI.yaml b/src/assets/YAML/default/InformationGathering/TestKPI.yaml
@@ -33,24 +33,33 @@ Information Gathering:
         - vulnerability-mgmt
         - metrics
         - vmm-measurement
-    Patching mean time to resolution via PR:
-      uuid: 86d490b9-d798-4a5b-a011-ab9688014c46
+    Number of vulnerabilities/severity/layer:
+      uuid: 0ec92899-a5cb-4649-984b-2fb1d6c784ad
       risk: |-
-        Without measuring Mean Time to Resolution (MTTR) related to patching, it is challenging to identify delays in the patching process. Unaddressed vulnerabilities can be exploited by attackers, leading to potential security breaches and data loss.
+        Failing to convey the number of vulnerabilities by severity and layer (app/infra) might undermine the effectiveness of product teams. This might lead to ignorance of findings.
       measure: |-
-        Measurement and communication of patching Mean Time to Resolution (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis.
-        This includes the measurement of the existence of a properly configured automated pull request (PR) tool (e.g., Dependabot or Renovate) in a repository. 
-        In addition, the measurement of the time from opening an automated PR to merging it.
+        Measurement and communication of vulnerabilities per severity for components like applications and split it depending on the layer (e.g. app/infra). At least quarterly.
+      description: |-
+        Communication can be performed in a simple way, e.g. text based during the build process.
+        This activity depends on at least one security testing implementation.
+        Layers to consider (SCA):
+        - Cloud provider (if insights are possible)
+        - Runtimes, e.g. Kubernetes nodes
+        - Base images and container images
+        - Application
         
-        Average time to patch is visualized per component/project/team.
+        Layers to consider SAST/DAST:
+        - Cloud provider
+        - Runtime, e.g. Kubernetes
+        - Base images and container images
+        - Application
       difficultyOfImplementation:
-        knowledge: 1
-        time: 1
+        knowledge: 2
+        time: 2
         resources: 2
       usefulness: 3
       level: 2
-      dependsOn:
-        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
+      dependsOn: []
       implementation: []
       references:
         samm2:
@@ -61,30 +70,28 @@ Information Gathering:
           - 5.13
           - 5.10
       tags:
-        - patching
+        - vulnerability-mgmt
         - metrics
-        - vmm-measurements
-    SLA per criticality: # is this the definition of SLAs or the measurement?
-      uuid: 123e4567-e89b-12d3-a456-426614174000
+        - vmm-measurement
+    Patching mean time to resolution via PR:
+      uuid: 86d490b9-d798-4a5b-a011-ab9688014c46
       risk: |-
-        Not communicating how many applications are adhering to SLAs based on the criticality of vulnerabilities can lead to delayed remediation of 
-        critical security issues, increasing the risk of exploitation and potential damage to the organization.
+        Without measuring Mean Time to Resolution (MTTR) related to patching, it is challenging to identify delays in the patching process. Unaddressed vulnerabilities can be exploited by attackers, leading to potential security breaches and data loss.
       measure: |-
-        Measurement and communication of how many of the vulnerabilities handling per severity for components like applications are aligned to SLAs. 
-        This is performed for the hole organization and doesn't need to be broken down (yet) on team/product/application. 
-        At least quarterly.
+        Measurement and communication of patching Mean Time to Resolution (MTTR) in alignment with Service Level Agreements (SLAs), conducted at least on a quarterly basis.
+        This includes the measurement of the existence of a properly configured automated pull request (PR) tool (e.g., Dependabot or Renovate) in a repository. 
+        In addition, the measurement of the time from opening an automated PR to merging it.
+        
+        Average time to patch is visualized per component/project/team.
       difficultyOfImplementation:
-        knowledge: 2
-        time: 2
+        knowledge: 1
+        time: 1
         resources: 2
       usefulness: 3
-      level: 3
-      dependsOn: []
-      implementation:
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/business-friendly-vulnerability-metrics
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
+      level: 2
+      dependsOn:
+        - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches
+      implementation: []
       references:
         samm2:
           - I-DM-3-B
@@ -94,7 +101,7 @@ Information Gathering:
           - 5.13
           - 5.10
       tags:
-        - vulnerability-mgmt
+        - patching
         - metrics
         - vmm-measurements
     Patching mean time to resolution via production:
diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml
@@ -379,3 +379,42 @@ Test and Verification:
       tags:
         - vulnerability-mgmt
         - vmm-measurements
+    Treatment of defects per protection requirement:
+      uuid: 123e4567-e89b-12d3-a456-426614174000
+      risk: |-
+        Not defining the protection requirement of applications can lead to wrong prioritization, delayed remediation of 
+        critical security issues, increasing the risk of exploitation and potential damage to the organization.
+      measure: |-
+        Defining the protection requirement and the corresponding handling of vulnerabilities per severity for components like applications are aligned to SLAs. 
+         This is performed for the hole organization and doesn't need to be broken down (yet) on team/product/application. 
+         At least quarterly.
+      description: |-
+        The protection requirements for an application should consider:
+        - Data criticality
+        - Application accessibility (internal vs. external)
+        - Regulatory compliance
+        - Other relevant factors
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 3
+      level: 3
+      dependsOn: []
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/business-friendly-vulnerability-metrics
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/defectdojo-client
+      references:
+        samm2:
+          - I-DM-3-B
+        iso27001-2022:
+          - 5.25
+          - 5.12
+          - 5.13
+          - 5.10
+      tags:
+        - vulnerability-mgmt
+        - metrics
+        - vmm-measurements
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForInfrastructure.yaml
@@ -49,7 +49,7 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
-    Test for known vulnerabilities:
+    Software Composition Analysis:
       uuid: 26e1c6d5-5632-4ec7-80d2-e564b98732ad
       risk:
         Known vulnerabilities in infrastructure components like container images
@@ -346,32 +346,4 @@ Test and Verification:
           - 8.29
           - 8.25
       isImplemented: false
-    Software Composition Analysis:
-      uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
-      risk: Infrastructure components might have vulnerabilities.
-      measure:
-        Tests for known vulnerabilities in server side components (e.g. backend/middleware) are performed.
-      difficultyOfImplementation:
-        knowledge: 3
-        time: 5
-        resources: 1
-      usefulness: 2
-      level: 4
-      dependsOn:
-        - Defined build process
-        - uuid:d918cd44-a972-43e9-a974-eff3f4a5dcfe
-      implementation:
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-dependency-che
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/trivy
-      references:
-        samm2:
-          - V-ST-2-A
-        iso27001-2017:
-          - 12.6.1
-        iso27001-2022:
-          - 8.8
-      tags:
-        - vmm-testing
+
diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml
