search

devsecopsmaturitymodel / DevSecOps-MaturityModel

GNU General Public License v3.0
495 stars 287 forks source link

Activity Description #110

Closed wurstbrot closed 9 months ago

wurstbrot commented 2 years ago

To create the new frontend application, here is a description for an activity (I enhanced it with missing keys):

    Building and testing of artifacts in virtual environments: # string
      description: |- # mark down
        While building and testing artifacts, third party systems, application frameworks
        and 3rd party libraries are used. These might be malicious as a result of
        vulnerable libraries or because they are altered during the delivery phase.
      risk: # mark down
      - |-
        While building and testing artifacts, third party systems, application frameworks
        and 3rd party libraries are used. These might be malicious as a result of
        vulnerable libraries or because they are altered during the delivery phase.
      measure: Each step during within the build and testing phase is performed in
        a separate virtual environments, which is destroyed afterward.
      assessment: xyz # markdown
      comment: xyz # markdown
      evidence: at xyz you find this screenshot  # markdown
      meta: # object
        implementationGuide: Depending on your environment, usage of virtual machines
          or container technology is a good way. After the build, the filesystem should
          not be used again in other builds. # markdown
      difficultyOfImplementation: # object
        knowledge: 2 # int
        time: 2 # int
        resources: 2 # int
      usefulness: 2 # int
      level: 2 # int
      implementation: # object
      - name: CI/CD tools # string
        tags:
        - ci-cd # string
        url: https://martinfowler.com/articles/continuousIntegration.html # url
        description: CI/CD tools such as jenkins, gitlab-ci or github-actions # string,should be markdown?
      - name: Container technologies and orchestration like Docker, Kubernetes # string,should be markdown?
        tags: []
      references: # object
        samm2: # array
        - I-SB-2-A # reference to https://github.com/owaspsamm/core/tree/develop/model/practice_levels
        iso27001-2017: # array 
        - iso27001-2017:14.2.6 # reference to ISO27001 Annex dimensions
0x41head commented 2 years ago

I made a few change to the YAML, please take a look

dimension: #object
  name: Build and Deployment #string
  subdimension: #object
    name: Build #string
    Level1:
      - name: Building and testing of artifacts in virtual environments
        description: |- # mark down
          While building and testing artifacts, third party systems, application frameworks
          and 3rd party libraries are used. These might be malicious as a result of
          vulnerable libraries or because they are altered during the delivery phase.
        risk: # mark down
        - |-
          While building and testing artifacts, third party systems, application frameworks
          and 3rd party libraries are used. These might be malicious as a result of
          vulnerable libraries or because they are altered during the delivery phase.
        measure: Each step during within the build and testing phase is performed in
          a separate virtual environments, which is destroyed afterward.
        assessment: xyz # markdown
        comment: xyz # markdown
        evidence: at xyz you find this screenshot  # markdown
        meta: # object
          implementationGuide: Depending on your environment, usage of virtual machines
            or container technology is a good way. After the build, the filesystem should
            not be used again in other builds. # markdown
        difficultyOfImplementation: # object
          knowledge: 2 # int
          time: 2 # int
          resources: 2 # int
        usefulness: 2 # int
        level: 2 # int
        implementation: # object
        - name: CI/CD tools # string
          tags:
          - ci-cd # string
          url: https://martinfowler.com/articles/continuousIntegration.html # url
          description: # markdown
            |-
            CI/CD tools such as jenkins, gitlab-ci or github-actions 
        - name: Container technologies and orchestration like Docker, Kubernetes # string
          tags: []
        references: # object
          samm2: # array
          - I-SB-2-A # reference to https://github.com/owaspsamm/core/tree/develop/model/practice_levels
          iso27001-2017: # array 
          - iso27001-2017:14.2.6 # reference to ISO27001 Annex dimensions
wurstbrot commented 2 years ago

Ok. Just added markdown for measure and changed implementation to array. How do we handle the content of implementation? Should it be an object or a string? In json, I would add an object to the array.

dimension: #object
  name: Build and Deployment #string
  subdimension: #object
    name: Build #string
    Level1:
      - name: Building and testing of artifacts in virtual environments
        description: |- # mark down
          While building and testing artifacts, third party systems, application frameworks
          and 3rd party libraries are used. These might be malicious as a result of
          vulnerable libraries or because they are altered during the delivery phase.
        risk: # mark down
        - |-
          While building and testing artifacts, third party systems, application frameworks
          and 3rd party libraries are used. These might be malicious as a result of
          vulnerable libraries or because they are altered during the delivery phase.
        measure: Each step during within the build and testing phase is performed in
          a separate virtual environments, which is destroyed afterward. # markdown
        assessment: xyz # markdown
        comment: xyz # markdown
        evidence: at xyz you find this screenshot  # markdown
        meta: # object
          implementationGuide: Depending on your environment, usage of virtual machines
            or container technology is a good way. After the build, the filesystem should
            not be used again in other builds. # markdown
        difficultyOfImplementation: # object
          knowledge: 2 # int
          time: 2 # int
          resources: 2 # int
        usefulness: 2 # int
        level: 2 # int
        implementation: # array
        - name: CI/CD tools # string
          tags:
          - ci-cd # string
          url: https://martinfowler.com/articles/continuousIntegration.html # url
          description: # markdown
            |-
            CI/CD tools such as jenkins, gitlab-ci or github-actions 
        - name: Container technologies and orchestration like Docker, Kubernetes # string
          tags: []
        references: # object
          samm2: # array
          - I-SB-2-A # reference to https://github.com/owaspsamm/core/tree/develop/model/practice_levels
          iso27001-2017: # array 
          - iso27001-2017:14.2.6 # reference to ISO27001 Annex dimensions
0x41head commented 2 years ago

I would prefer implementation to be an array of objects

EDIT: Added "IsImplemented" for Implemented Levels

dimension: #object
  - name: Build and Deployment #string
    subdimension: #object
      - name: Build #string
        Level1: #object
          - name: Building and testing of artifacts in virtual environments
            description: |- # mark down
              While building and testing artifacts, third party systems, application frameworks
              and 3rd party libraries are used. These might be malicious as a result of
              vulnerable libraries or because they are altered during the delivery phase.
            risk: # mark down
            - |-
              While building and testing artifacts, third party systems, application frameworks
              and 3rd party libraries are used. These might be malicious as a result of
              vulnerable libraries or because they are altered during the delivery phase.
            measure: Each step during within the build and testing phase is performed in
              a separate virtual environments, which is destroyed afterward. # markdown
            assessment: xyz # markdown
            comment: xyz # markdown
            evidence: at xyz you find this screenshot  # markdown
            meta: # object
              implementationGuide: Depending on your environment, usage of virtual machines
                or container technology is a good way. After the build, the filesystem should
                not be used again in other builds. # markdown
            difficultyOfImplementation: # object
              knowledge: 2 # int
              time: 2 # int
              resources: 2 # int
            usefulness: 2 # int
            level: 2 # int
            isImplemented: true #boolean
            implementation: # array
            - name: CI/CD tools # string
              tags:
              - ci-cd # string
              url: https://martinfowler.com/articles/continuousIntegration.html # url
              description: # markdown
                |-
                CI/CD tools such as jenkins, gitlab-ci or github-actions 
            - name: Container technologies and orchestration like Docker, Kubernetes # string
              tags: []
            references: # object
              samm2: # array
              - I-SB-2-A # reference to https://github.com/owaspsamm/core/tree/develop/model/practice_levels
              iso27001-2017: # array 
              - iso27001-2017:14.2.6 # reference to ISO27001 Annex dimensions