From 3013186b80a21e75ea7c1fd229c806a57550ab9b Mon Sep 17 00:00:00 2001 From: Aryan Date: Mon, 25 Jul 2022 17:22:59 +0530 Subject: [PATCH 1/2] Changed : "Task" to "Activity" --- src/app/component/mapping/mapping.component.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/app/component/mapping/mapping.component.html b/src/app/component/mapping/mapping.component.html index d02c116bf..fb5a69038 100644 --- a/src/app/component/mapping/mapping.component.html +++ b/src/app/component/mapping/mapping.component.html @@ -30,7 +30,7 @@
- Tasks + Activity SAMM ISO @@ -52,7 +52,7 @@ - Task + Activity {{element.taskName}} From b3a4dffd2128ffa533a8fbbacb0f1d101e647b1a Mon Sep 17 00:00:00 2001 From: Aryan Date: Mon, 25 Jul 2022 20:00:27 +0530 Subject: [PATCH 2/2] Added About Us and Usage Section --- src/app/app-routing.module.ts | 9 +- src/app/app.module.ts | 6 + .../component/about-us/about-us.component.css | 0 .../about-us/about-us.component.html | 2 + .../about-us/about-us.component.spec.ts | 25 ++ .../component/about-us/about-us.component.ts | 15 + .../component/mapping/mapping.component.css | 1 - .../readme-to-html.component.css | 6 + .../readme-to-html.component.html | 3 + .../readme-to-html.component.spec.ts | 25 ++ .../readme-to-html.component.ts | 28 ++ .../sidenav-buttons.component.ts | 6 +- src/app/component/usage/usage.component.css | 0 src/app/component/usage/usage.component.html | 2 + .../component/usage/usage.component.spec.ts | 25 ++ src/app/component/usage/usage.component.ts | 15 + src/assets/Markdown Files/README.md | 161 +++++++ src/assets/Markdown Files/USAGE.md | 417 ++++++++++++++++++ src/assets/YAML/generated/sample.yaml | 2 +- 19 files changed, 741 insertions(+), 7 deletions(-) create mode 100644 src/app/component/about-us/about-us.component.css create mode 100644 src/app/component/about-us/about-us.component.html create mode 100644 src/app/component/about-us/about-us.component.spec.ts create mode 100644 src/app/component/about-us/about-us.component.ts create mode 100644 src/app/component/readme-to-html/readme-to-html.component.css create mode 100644 src/app/component/readme-to-html/readme-to-html.component.html create mode 100644 src/app/component/readme-to-html/readme-to-html.component.spec.ts create mode 100644 src/app/component/readme-to-html/readme-to-html.component.ts create mode 100644 src/app/component/usage/usage.component.css create mode 100644 src/app/component/usage/usage.component.html create mode 100644 src/app/component/usage/usage.component.spec.ts create mode 100644 src/app/component/usage/usage.component.ts create mode 100644 src/assets/Markdown Files/README.md create mode 100644 src/assets/Markdown Files/USAGE.md diff --git a/src/app/app-routing.module.ts b/src/app/app-routing.module.ts index 79f3d24cb..d35e1c541 100644 --- a/src/app/app-routing.module.ts +++ b/src/app/app-routing.module.ts @@ -1,17 +1,22 @@ -import { NgModule } from '@angular/core'; +import { Component, NgModule } from '@angular/core'; import { RouterModule, Routes } from '@angular/router'; +import { AboutUsComponent } from './component/about-us/about-us.component'; import { CircularHeatmapComponent } from './component/circular-heatmap/circular-heatmap.component'; import { MainContentComponent } from './component/main-content/main-content.component'; import { MappingComponent } from './component/mapping/mapping.component'; import { MatrixComponent } from './component/matrix/matrix.component'; import { TaskDescriptionComponent } from './component/task-description/task-description.component'; +import { UsageComponent } from './component/usage/usage.component'; + const routes: Routes = [ {path: '',component: MainContentComponent}, {path: 'matrix', component: MatrixComponent}, {path: 'circular-heatmap', component: CircularHeatmapComponent}, {path: 'task-description', component: TaskDescriptionComponent}, - {path: 'mapping', component: MappingComponent} + {path: 'mapping', component: MappingComponent}, + {path: 'usage', component:UsageComponent}, + {path: 'about', component:AboutUsComponent} ]; @NgModule({ diff --git a/src/app/app.module.ts b/src/app/app.module.ts index a3154f07d..81c7d1397 100644 --- a/src/app/app.module.ts +++ b/src/app/app.module.ts @@ -17,6 +17,9 @@ import { HttpClientModule } from '@angular/common/http'; import { CombinerService } from './service/combiner/combiner.service'; import { CircularHeatmapComponent } from './component/circular-heatmap/circular-heatmap.component'; import { MappingComponent } from './component/mapping/mapping.component'; +import { ReadmeToHtmlComponent } from './component/readme-to-html/readme-to-html.component'; +import { UsageComponent } from './component/usage/usage.component'; +import { AboutUsComponent } from './component/about-us/about-us.component'; @NgModule({ @@ -30,6 +33,9 @@ import { MappingComponent } from './component/mapping/mapping.component'; TaskDescriptionComponent, CircularHeatmapComponent, MappingComponent, + ReadmeToHtmlComponent, + UsageComponent, + AboutUsComponent, ], imports: [ diff --git a/src/app/component/about-us/about-us.component.css b/src/app/component/about-us/about-us.component.css new file mode 100644 index 000000000..e69de29bb diff --git a/src/app/component/about-us/about-us.component.html b/src/app/component/about-us/about-us.component.html new file mode 100644 index 000000000..6119a0069 --- /dev/null +++ b/src/app/component/about-us/about-us.component.html @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/src/app/component/about-us/about-us.component.spec.ts b/src/app/component/about-us/about-us.component.spec.ts new file mode 100644 index 000000000..b1910ef5d --- /dev/null +++ b/src/app/component/about-us/about-us.component.spec.ts @@ -0,0 +1,25 @@ +import { ComponentFixture, TestBed } from '@angular/core/testing'; + +import { AboutUsComponent } from './about-us.component'; + +describe('AboutUsComponent', () => { + let component: AboutUsComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + declarations: [ AboutUsComponent ] + }) + .compileComponents(); + }); + + beforeEach(() => { + fixture = TestBed.createComponent(AboutUsComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/app/component/about-us/about-us.component.ts b/src/app/component/about-us/about-us.component.ts new file mode 100644 index 000000000..d28752758 --- /dev/null +++ b/src/app/component/about-us/about-us.component.ts @@ -0,0 +1,15 @@ +import { Component, OnInit } from '@angular/core'; + +@Component({ + selector: 'app-about-us', + templateUrl: './about-us.component.html', + styleUrls: ['./about-us.component.css'] +}) +export class AboutUsComponent implements OnInit { + + constructor() { } + + ngOnInit(): void { + } + +} diff --git a/src/app/component/mapping/mapping.component.css b/src/app/component/mapping/mapping.component.css index 0910a0933..7a03b4070 100644 --- a/src/app/component/mapping/mapping.component.css +++ b/src/app/component/mapping/mapping.component.css @@ -7,7 +7,6 @@ margin: 20px; width: 50%; background-color: coral; - } .matrix-table{ diff --git a/src/app/component/readme-to-html/readme-to-html.component.css b/src/app/component/readme-to-html/readme-to-html.component.css new file mode 100644 index 000000000..9554b6a38 --- /dev/null +++ b/src/app/component/readme-to-html/readme-to-html.component.css @@ -0,0 +1,6 @@ +.main-section{ + background-color: aqua; + padding: 30px; + padding-top: 0px; + +} \ No newline at end of file diff --git a/src/app/component/readme-to-html/readme-to-html.component.html b/src/app/component/readme-to-html/readme-to-html.component.html new file mode 100644 index 000000000..066096dfb --- /dev/null +++ b/src/app/component/readme-to-html/readme-to-html.component.html @@ -0,0 +1,3 @@ +
+
+
\ No newline at end of file diff --git a/src/app/component/readme-to-html/readme-to-html.component.spec.ts b/src/app/component/readme-to-html/readme-to-html.component.spec.ts new file mode 100644 index 000000000..cb8f04007 --- /dev/null +++ b/src/app/component/readme-to-html/readme-to-html.component.spec.ts @@ -0,0 +1,25 @@ +import { ComponentFixture, TestBed } from '@angular/core/testing'; + +import { ReadmeToHtmlComponent } from './readme-to-html.component'; + +describe('ReadmeToHtmlComponent', () => { + let component: ReadmeToHtmlComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + declarations: [ ReadmeToHtmlComponent ] + }) + .compileComponents(); + }); + + beforeEach(() => { + fixture = TestBed.createComponent(ReadmeToHtmlComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/app/component/readme-to-html/readme-to-html.component.ts b/src/app/component/readme-to-html/readme-to-html.component.ts new file mode 100644 index 000000000..b4bde6096 --- /dev/null +++ b/src/app/component/readme-to-html/readme-to-html.component.ts @@ -0,0 +1,28 @@ +import { Component, Input, OnInit } from '@angular/core'; +import * as md from 'markdown-it'; +import { HttpClient } from '@angular/common/http'; + +@Component({ + selector: 'app-readme-to-html', + templateUrl: './readme-to-html.component.html', + styleUrls: ['./readme-to-html.component.css'] +}) +export class ReadmeToHtmlComponent implements OnInit { + @Input() MDFile: string= ""; + markdown:md = md() + markdownURI:any + toRender:string="" + constructor(private http:HttpClient) { } + + async ngOnInit() { + try{ + this.markdownURI = await this.http.get(this.MDFile, { responseType: 'text'}).toPromise(); + this.toRender=this.markdown.render(this.markdownURI) + } + catch{ + this.toRender= "Markdown file could not be found" + } + + } + +} diff --git a/src/app/component/sidenav-buttons/sidenav-buttons.component.ts b/src/app/component/sidenav-buttons/sidenav-buttons.component.ts index 6b7720162..ac77c61b7 100644 --- a/src/app/component/sidenav-buttons/sidenav-buttons.component.ts +++ b/src/app/component/sidenav-buttons/sidenav-buttons.component.ts @@ -6,9 +6,9 @@ import { Component, OnInit } from '@angular/core'; styleUrls: ['./sidenav-buttons.component.css'] }) export class SidenavButtonsComponent implements OnInit { - Options: string[] = ['Matrix', 'Home','Implementation Levels','Mappings']; - Icons: string[] = ['bar_chart','home','home','home']; - Routing: string[]=['/matrix','/','/circular-heatmap','/mapping'] + Options: string[] = ['Matrix', 'Home','Implementation Levels','Mappings','Usage','About Us']; + Icons: string[] = ['bar_chart','home','home','home','home','home']; + Routing: string[]=['/matrix','/','/circular-heatmap','/mapping','/usage','/about'] constructor() { } ngOnInit(): void { diff --git a/src/app/component/usage/usage.component.css b/src/app/component/usage/usage.component.css new file mode 100644 index 000000000..e69de29bb diff --git a/src/app/component/usage/usage.component.html b/src/app/component/usage/usage.component.html new file mode 100644 index 000000000..843ada0ac --- /dev/null +++ b/src/app/component/usage/usage.component.html @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/src/app/component/usage/usage.component.spec.ts b/src/app/component/usage/usage.component.spec.ts new file mode 100644 index 000000000..ed28e91d1 --- /dev/null +++ b/src/app/component/usage/usage.component.spec.ts @@ -0,0 +1,25 @@ +import { ComponentFixture, TestBed } from '@angular/core/testing'; + +import { UsageComponent } from './usage.component'; + +describe('UsageComponent', () => { + let component: UsageComponent; + let fixture: ComponentFixture; + + beforeEach(async () => { + await TestBed.configureTestingModule({ + declarations: [ UsageComponent ] + }) + .compileComponents(); + }); + + beforeEach(() => { + fixture = TestBed.createComponent(UsageComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/app/component/usage/usage.component.ts b/src/app/component/usage/usage.component.ts new file mode 100644 index 000000000..ad90190e7 --- /dev/null +++ b/src/app/component/usage/usage.component.ts @@ -0,0 +1,15 @@ +import { Component, OnInit } from '@angular/core'; + +@Component({ + selector: 'app-usage', + templateUrl: './usage.component.html', + styleUrls: ['./usage.component.css'] +}) +export class UsageComponent implements OnInit { + + constructor() { } + + ngOnInit(): void { + } + +} diff --git a/src/assets/Markdown Files/README.md b/src/assets/Markdown Files/README.md new file mode 100644 index 000000000..f5966e5d2 --- /dev/null +++ b/src/assets/Markdown Files/README.md @@ -0,0 +1,161 @@ +# Introduction + +From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code. + +The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized. + +With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. + +Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks. + +# Usage + +Go to https://dsomm.timo-pagel.de or clone [this repository](https://github.com/wurstbrot/DevSecOps-MaturityModel/) and run `startDocker.bash`. + +* _matrix_ shows the dimensions, subdimensions and activities are described. +* _Implementation Levels_ can be used to measure the current implementation level by clicking on the specific activities which have been performed. +* _Ease and Value of Implementation_ is used for the maturity model development to see the ease and value of each activity to be able to compare it with activities within the subdimension and activities from other subdimensions. +* _Dependenies_ shows the dependencies between activities +* _Useage_ describes the dimensions +* _Full Report_ prints all activities to be able to print it + +In this [video](https://www.youtube.com/watch?v=tX9RHZ_O5NU) Timo Pagel describes different strategic approaches for your secure DevOps strategy. The use OWASP DSOMM in combination with [OWASP SAMM](https//owaspsamm.org) is explained. + +In case you have evidence or review questions to gather evidence, you can add the attribute "evidence" to an activity which will be attached to an activity to provide it to your CISO or your customer's CISO. +You can switch on to show open TODO's for evidence by changing IS_SHOW_EVIDENCE_TODO to true 'bib.php' `define(IS_SHOW_EVIDENCE_TODO, true);` + +# Community + +Code Freeze: Currently, with the Google Summer student Aryan Prasad we develop a new Angular frontend version, therefore, we do not accept any code changes right now. + +Join #dsomm in [OWASP Slack](https://owasp.slack.com/join/shared_invite/zt-g398htpy-AZ40HOM1WUOZguJKbblqkw#/). +Create issues or even better Pull Requests in [github](https://github.com/wurstbrot/DevSecOps-MaturityModel/). + +# Slides and talks +* [Video: OWASP (DevSecOps) Projects, 2021-04-28, OWASP Stammtisch Frankfurt](https://www.youtube.com/watch?v=8webiYnF56A) +* [Video: DSOMM Enhancement Workshop at Open Security Summit, 2021-04-16](https://youtu.be/H2BA6gaeKBE) +* [Video: Strategic Usage of the OWASP Software Assurance Maturity Model and the OWASP DevSecOps Maturity Model, OWASP Jakarta](https://m.youtube.com/watch?v=lLMLGIzl56M) +* [Slides: DSOMM Overview](https://docs.google.com/presentation/d/1eQcE_AsR1g6uOVf3B2Ehh1g0cHvPknkdLY4BzMYatSw/edit?usp=sharing) +* [Video: GitHub practical DSOMM snippet on twitch](https://www.twitch.tv/githubenterprise/clip/EsteemedTriumphantMinkFailFish) +* [Blog: GitHub on DSOMM](https://github.blog/2020-08-06-achieving-devsecops-maturity-with-a-developer-first-community-driven-approach/) 2020 +* [Video: Benutzung vom OWASP DevSecOps Maturity Model (German)](https://vimeo.com/456523229) +* [Online: OWASP DevSecOps Maturity Model - Culture (German)](https://www.meetup.com/de-DE/Breaking-Agile/) 2020-08-25 +* [Video: Usage of the OWASP DevSecOps Maturity Model](https://www.youtube.com/watch?v=tX9RHZ_O5NU), [OWASP Ottawa Chapter](https://www.meetup.com/de-DE/OWASP-Ottawa/events/272355636/), 2020-08-17 +* [Continuous Application Security Testing for Enterprise](https://docs.google.com/presentation/d/1dAewXIHgBEKHKwBPpM5N_G2eM6PRpduoGJrp6R6pNUI/edit?usp=sharing), DevOps Meetup Hamburg, 2019-09-26 +* [DevSecOps Maturity Model](https://docs.google.com/presentation/d/1zF7c_0cPYBO7LHcLNtEApQBB_qJugXgRQUyiwBKKtKk/edit?usp=sharing), Open Security Summit, near London, 2018 +* [Security in DevOps-Strategies](https://www.youtube.com/watch?v=gWjGWebWahE&t=448s), 28.09.2017, Hamburg, Germany +* [DevSecOps Maturity Model](https://docs.google.com/presentation/d/1rrbyXqxy3LXAJNPFrVH99mj_BNaJKymMsXZItYArWEM/edit?usp=sharing), 2017 + +# Assessment + +In case you would like to perform a DevSecOps assessment, the following tools are available: + +* Usage of the applicaton in a `container`. +* Development of an export to [OWASP Maturity Models](https://github.com/OWASP/Maturity-Models) (recommended for assessments with a lot of teams) +* Creation of your excel sheet (not recommended, you want to use DevOps, don't even try!) + +## Container + +1. Install [Docker](https://www.docker.com) +2. Run `docker run --rm -p 8080:80 wurstbrot/dsomm:latest +3. Browse to (on macOS and Windows browse to if you are using docker-machine instead + of the native docker installation) + +In case you would like to have perform an assessment for multiple teams, iterate from port 8080 to 8XXX, depending of the size of your team. +In case the application should be visible, but the "Implementation Level" shouldn't be changeable, consider the following code: + +```bash +#!/bin/bash +set -xe + +IMAGE_NAME="/dsomm:latest" + +rm -Rf DevSecOps-MaturityModel || true +git clone git@github.com:wurstbrot/DevSecOps-MaturityModel.git +cp data/* DevSecOps-MaturityModel/data +cp -a selectedData.csv DevSecOps-MaturityModel/selectedData.csv + +cd DevSecOps-MaturityModel +docker build -t $IMAGE_NAME . +docker push $IMAGE_NAME +``` + +This approach also allows teams to perform self assessment with changes tracked in a repository. + + +## Amazon EC2 Instance + +1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_ +2. In _Step 1: Choose an Amazon Machine Image (AMI)_ choose an _Amazon + Linux AMI_ or _Amazon Linux 2 AMI_ +3. In _Step 3: Configure Instance Details_ unfold _Advanced Details_ and + copy the script below into _User Data_ +4. In _Step 6: Configure Security Group_ add a _Rule_ that opens port 80 + for HTTP +5. Launch your instance +6. Browse to your instance's public DNS + +```bash +#!/bin/bash +yum update -y +yum install -y docker +service docker start +docker run -d -p 80:80 wurstbrot/dsomm:latest +``` + +## Tests + +To run basic tests just + +```bash +docker-compose -f docker-compose.dev.yaml up test-php +``` + +# Credits + +* The dimension _Test and Verification_ is based on Christian Schneiders [Security DevOps Maturity Model (SDOMM)](https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html). _Application tests_ and _Infrastructure tests_ are added by Timo Pagel. Also, the sub-dimension _Static depth_ has been evaluated by security experts at [OWASP Stammtisch Hamburg](https://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative/Hamburg). +* The sub-dimension Process has been added after a discussion with [Francois Raynaud](https://www.linkedin.com/in/francoisraynaud/) that reactive activities are missing. +* Enhancement of my basic translation is performed by [Claud Camerino](https://github.com/clazba). +* Adding ISO 27001:2017 mapping, [Andre Baumeier](https://github.com/AndreBaumeier). +* Providing a documentation of how to use `docker` in the Juice Shop for simple copy&paste, [Björn Kimminich](https://github.com/bkimminich/). +* [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md) for providing documentation on different DevSecOps practices which are copied&pasted/ (and adopted) (https://github.com/northdpole, https://github.com/ThunderSon) +* The requirements from [level 0](https://github.com/AppSecure-nrw/security-belts/blob/master/white/) are based on/copied from [AppSecure NRW](https://appsecure.nrw/) + +# Back link + +- [OWASP DevSecOps maturity model page](https://dsomm.timo-pagel.de/) +- [OWASP DevSecOps project page](https://owasp.org/www-project-devsecops-maturity-model/) +- [OWASP](https://owasp.org) + +# Your help is needed to perform + +* Adding a manual on how to use DSOMM +* Integration of Incident Response +* DevSecOps Toolchain Categorization +* App Sec Maturity Models Mapping +* CAMS Categorization +* Adding assessment questions + +# Multilanguage support +Multilanguage support is not given currently and not planned. + +# Sponsors + +[![Timo Pagel IT-Consulting](https://raw.githubusercontent.com/DefectDojo/Documentation/master/doc/img/timo-pagel-logo.png)](https://pagel.pro) + +[![Apprio Inc](https://github.com/wurstbrot/DevSecOps-MaturityModel/raw/master/assets/images/Apiiro_black_logo.png)](https://apiiro.com/) + + +# Donations + +If you are using the model or you are inspired by it, want to help but don't want to create pull requests? You can donate at the [OWASP Project Wiki Page](https://owasp.org/donate/?reponame=www-project-devsecops-maturity-model&title=OWASP+Devsecops+Maturity+Model). Donations might be used for the design of logos/images/design or travels. + +# License + +This program is free software: you can redistribute it and/or modify it under the terms of the [GPL 3](https://www.gnu.org/licenses/) license. + +The intellectual property (content in the _data_ folder) is licensed under Attribution-ShareAlike. +An example attribution by changing the content: +> This work is based on the [OWASP DevSecOps Maturity Model](https://dsomm.timo-pagel.de). + +The OWASP DevSecOps Maturity Model and any contributions are Copyright © by Timo Pagel 2017-2022. diff --git a/src/assets/Markdown Files/USAGE.md b/src/assets/Markdown Files/USAGE.md new file mode 100644 index 000000000..ff850f9df --- /dev/null +++ b/src/assets/Markdown Files/USAGE.md @@ -0,0 +1,417 @@ +--- +This article explains the usage of DSOMM, the dimensions and + corresponding sub-dimensions. + +# Pre-Requirements + +Before you start, there is kind of maturity level 0. + +The pre-requirements are highly based (mostly copied) on + [AppSecure NRW](https://github.com/AppSecure-nrw/security-belts/tree/master/white). + +## Risk management + +[NIST defines `risk`](https://csrc.nist.gov/glossary/term/risk) as + +> a measure of the extent to which an entity is threatened by a potential +circumstance or event, and typically is a function of: +> 1. the adverse impact, or magnitude of harm, that would arise +> if the circumstance or event occurs; and +> 2. the likelihood of occurrence. + +In information security, risks arise from the loss of: + +- confidentiality, +- integrity, +- or availability + +of information or information systems and reflect the +potential adverse impacts to: + +- organizational operations + (including: - mission, - functions, - image, - or reputation), +- organizational assets, +- individuals, +- other organizations +(see [NIST.SP.800-53Ar4](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf). + +A risk then tied to a **threat**, its **probability** and its **impacts**. + +If you are interested in Risk Management frameworks and +strategies, you can start from +[FISMA](https://csrc.nist.gov/Projects/risk-management/). + +## Onboard Product Owner and other Managers + +To adopt a DSOMM in a product or a project, it is important to identify +the person or the team which is responsible to ensure +that risk-related considerations reflects the organizational +risk tolerance +(see [Risk Executive](https://csrc.nist.gov/glossary/term/risk_executive) +for a more complete view). + +Depending on the project, this "Risk Manager" - which in layman terms +is responsible for judging "risks vs. costs" of the product - +can be the `Project Manager`, the `Product Owner` or else: +it is important that he has the proper risk management +knowledge and, receive a proper training. + +The "Risk Manager" must be convinced that continuously improving +security through DSOMM is an effective way to +to minimize risk and build better products. + +The first steps for deploying DSOMM are then the following: + +1. identify the persons in charge for risk decisions +1. make them aware of information security risks, showing the impacts of + threats and their probability. +1. convince them that security requires continuous efforts + +### Benefits + +- The "Risk Manager" is aware that all software have security vulnerabilities, + and that the related risks should be minimized. +- Resources must be allocated to improve security and + to avoid, detect and fix vulnerabilities. +- Management can perform well informed risk decisions +- The "Risk Manager" has transparent knowledge on how secure the product is. + +## Get to Know Security Policies + +Identify the security policies of your organization and adhere to them. + +Share with the Security Champion Guild how you perform the required activities +from the policies, so others can benefit from your experience. + +In addition, provide feedback to the policy owner. + +Communicate discrepancies with the defined security policies +to the "Risk Manager" +so that he can take proper measures. + +### Benefits + +- Adopting security policies addressing threats + simplifies building secure software. +- Basic security risks are handled. + +## Continuously Improve your Security Belt Rank + +Security is like a big pizza. +You cannot eat it as a whole, +but you can slice it and continuously eat small slices. + +Ensure that the "Risk Manager" continuously prioritizes +the security belt activities for the next belt highly +within the product backlog. + +Security belt activities make "good slices" because they are of reasonable +size and have a defined output. + +Celebrate all your implemented security belt activities! + +### Benefits + +- The team has time to improve its software security. +- The team's initially high motivation and momentum can be used. +- The Risk Manager has visibility on the investment + and the benefits of security belts. +- The team is improving its software security. + +## Review Security Belt Activities + +Let the Security Champion Guild review your implementations of security belt +activities (or concepts of these implementations) as soon as possible. +This helps to eradicate misunderstandings of security belt activities early. + +### Benefits + +- The quality of the implementation increases. +- Successes can be celebrated intermediately. +- Early feedback before the belt assessment. + +## Utilize Pairing when starting an activity +When implementing a security belt activity, approach a peer +from the Security Champion Guild to get you started. + +## Benefits + +- Knowledge how to implement security belt activities is spread, + so everyone benefits of prior knowledge. +- Starting to implement security belt activities with guidance is easier. +- The team is improving its software security while avoiding previously + made mistakes. + +# Dimensions + +This section describes the various dimensions +and the corresponding sub dimension. + +The descriptions are highly based (mostly copied) +on the [OWASP Project Integration Project Writeup](https://github.com/OWASP/www-project-integration-standards/blob/master/writeups/owasp_in_sdlc/index.md). + +## Implementation + +This dimension covers topic of "traditional" +hardening of software and infrastructure components. + +There is an abundance of libraries and frameworks implementing +secure defaults. +For frontend development, [ReactJS](https://reactjs.org/) seems to be +the latest favourite in the Javascript world. + +On the database side, there are [ORM](https://sequelize.org/) libraries +and [Query Builders](https://github.com/kayak/pypika) for most languages. + +If you write in Java, +the [ESAPI project](https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/index.html) +offers several methods to securely implement features, +ranging from Cryptography to input escaping and output encoding. + +**Example low maturity scenario:** + +The API was queryable by anyone and GraphQL introspection was enabled since +all components were left in debug configuration. + +Sensitive API paths were not whitelisted. +The team found that the application was attacked when the server showed very +high CPU load. +The response was to bring the system down, very little information about +the attack was found apart from the fact that someone +was mining cryptocurrencies on the server. + +**Example Low Maturity Scenario:** + +The team attempted to build the requested features using vanilla NodeJS, +connectivity to backend systems is validated by firing an internal request +to `/healthcheck?remoteHost=` which attempts to run a ping +command against the IP specified. +All secrets are hard coded. +The team uses off the shelf GraphQL libraries but versions +are not checked using [NPM Audit](https://docs.npmjs.com/cli/audit). +Development is performed by pushing to master which triggers a webhook that +uses FTP to copy latest master to the development server which will become production once development is finished. + +**Example High Maturity Scenario:** + +Team members have access to comprehensive documentation +and a library of code snippets they can use to accelerate development. + +Linters are bundled with pre-commit hooks +and no code reaches master without peer review. + +Pre-merge tests are executed before merging code into master. +Tests run a comprehensive suite of tests covering unit tests, +service acceptance tests, +unit tests as well as regression tests. + +Once a day a pipeline of specially configured +static code analysis tools runs against +the features merged that day, the results are +triaged by a trained security team and fed to engineering. + +There is a cronjob executing Dynamic Analysis tools against Staging +with a similar process. + +Pentests are conducted against features released on every release +and also periodically against the whole software stack. + +# Culture and Organization + +This section covers topics related to culture and organization like +processes, education and the design phase. + +Once requirements are gathered and analysis is performed, +implementation specifics need to be defined. +The outcome of this stage is usually a diagram outlining data flows +and a general system architecture. +This presents an opportunity for both threat modeling +and attaching security considerations +to every ticket and epic that is the outcome of this stage. + +### Design + +There is some great advice on threat modeling out there +*e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) +article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one. + +A bite sized primer by Adam Shostack himself can be found +[here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/). + +OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) +on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). +Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/). + +There's a few projects that can help with creating Threat Models +at this stage, [PyTM](https://github.com/izar/pytm) is one, +[ThreatSpec](https://github.com/threatspec/threatspec) is another. + +> Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. +An example can be found below._ + +![Threat Model](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/threat_model.png "Threat Model") + +Last, if the organisation maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function. + +![SKF](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_qs.png "SKF") + +This practice has the side effect that it trains non-security specialists to think like attackers. + +The outcomes of this stage should help lay the foundation of secure design and considerations. + +**Example Low Maturity Scenario:** + +Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password. + +Remote data store access secrets are hardcoded in the configuration files. +All communication between backend systems is plaintext. + +Frontend serves data over GraphQL as a thin layer between caching system and end user. + +GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. +Access to data is protected with basic auth set to _1234:1234_ for development purposes. + +**Example High Maturity Scenario:** + +Based on a detailed threat model defined and updated through code, the team decides the following: + +* Local encrypted caches need to expire and auto-purged. +* Communication channels encrypted and authenticated. +* All secrets persisted in shared secrets store. +* Frontend designed with permissions model integration. +* Permissions matrix defined. +* Input is escaped output is encoded appropriately using well established libraries. + +### Education and Guidence + +Metrics won't necessarily improve without training engineering teams and somehow building a security-minded culture. +Security training is a long and complicated discussion. +There is a variety of approaches out there, on the testing-only end of the spectrum there is fully black box virtual machines such as [DVWA](http://www.dvwa.co.uk/), [Metasploitable series](https://metasploit.help.rapid7.com/docs/metasploitable-2) and the [VulnHub](https://www.vulnhub.com/) project. + +The code & remediation end of the spectrum isn't as well-developed, +mainly due to the complexity involved in building and distributing such material. +However, there are some respectable solutions, [Remediate The Flag](https://www.remediatetheflag.com/) +can be used to setup a code based challenge. + +![Remediate the Flag](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/rtf.png "Remediate the Flag") + +However, if questionnaires are the preferred medium, or if the organisation + is looking for self-service testing, [Secure Coding Dojo](https://github.com/trendmicro/SecureCodingDojo) is an interesting solution. + +More on the self-service side, the Security Knowledge Framework has released +several [Labs](https://owasp-skf.gitbook.io/asvs-write-ups/) that each +showcase one vulnerability and provides information on how to exploit it. + +However, to our knowledge, the most flexible project out there is probably +the [Juice Shop](https://github.com/bkimminich/juice-shop), deployed +on Heroku with one click, it offers both CTF functionality and a self-service + standalone application that comes with solution detection + and a comprehensive progress-board. + +![Juice Shop](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/juiceshop.png "Juice Shop") + +### Process + +**Example High Maturity Scenario:** + +Business continuity and Security teams run incident management drills + periodically to refresh incident playbook knowledge. + +# Test and Verification + +At any maturity level, linters can be introduced to ensure that consistent + code is being added. +For most linters, there are IDE integrations providing software engineers + with the ability to validate code correctness during development time. +Several linters also include security specific rules. +This allows for basic security checks before the code is even committed. +For example, if you write in Typescript, you can use +[tslint](https://github.com/palantir/tslint) along +with [tslint-config-security](https://www.npmjs.com/package/tslint-config-security) +to easily and quickly perform basic checks. + +However, linters cannot detect vulnerabilities in third party libraries, +and as software supply chain attacks spread, this consideration becomes more important. +To track third party library usage and audit their security you can use [Dependency Check/Track](https://dependencytrack.org/). + +![SKF Code](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/skf_code.png "SKF Code") + +This stage can be used to validate software correctness and it's results as a + metric for the security related decisions of the previous stages. +At this stage both automated and manual testing can be performed. +SAMM again offers 3 maturity levels across Architecture Reviews, Requirements testing, and Security Testing. +Instructions can be found [here](https://owaspsamm.org/model/verification/) and a screenshot is listed below. + +![SAMM Testing](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_testing.png "SAMM Testing") + +Testing can be performed several ways and it highly depends on the nature +of the software, the organisation's cadence, and the regulatory requirements among other things. + +If available, automation is a good idea as it allows detection of easy to find vulnerabilities without much human interaction. + +If the application communicates using a web-based protocol, the [ZAP](https://github.com/zaproxy/zaproxy) project can be used to automate a great number of web related attacks and detection. +ZAP can be orchestrated using its REST API and it can even automate multi-stage attacks by leveraging its Zest scripting support. + +Vulnerabilities from ZAP and a wide variety of other tools can be imported and managed using a dedicated defect management platform such as [Defect Dojo](https://github.com/DefectDojo/django-DefectDojo)(screenshot below). + +![Defect Dojo](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/defectdojo.png "Defect Dojo") + +For manual testing the [Web](https://github.com/OWASP/wstg) and [Mobile](https://github.com/OWASP/owasp-mstg) Security Testing Guides can be used to achieve a base level of quality for human driven testing. + +**Example Low Maturity Scenario:** + +The business deployed the system to production without testing. +Soon after, the client's routine pentests uncovered deep flaws with access to backend data and services. +The remediation effort was significant. + +**Example High Maturity Scenario:** + +The application features received Dynamic Automated testing when each reached staging, a trained QA team validated business requirements that involved security checks. +A security team performed an adequate pentest and gave a sign-off. + +# Build and Deployment + +Secure configuration standards can be enforced during the deployment using the [Open Policy Agent](https://www.openpolicyagent.org/). + +![SAMM Release](https://github.com/OWASP/www-project-integration-standards/raw/master/writeups/owasp_in_sdlc/images/samm_release.png "SAMM Release") + +**Example Low Maturity scenario:** + +_please create a PR_ + +**Example High Maturity scenario:** + +The CI/CD system, when migrating successful QA environments to production, applies appropriate configuration to all components. +Configuration is tested periodically for drift. + +Secrets live in-memory only and are persisted in a dedicated Secrets Storage solution such as Hashicorp Vault. + +## Information Gathering + +Concerning metrics, the community has been quite vocal on what to measure +and how important it is. +The OWASP CISO guide offers 3 broad categories of SDLC metrics[1] which can + be used to measure effectiveness of security practices. +Moreover, there is a number of presentations on what could be leveraged +to improve a security programme, starting from Marcus' Ranum's [keynote](https://www.youtube.com/watch?v=yW7kSVwucSk) +at Appsec California[1], +Caroline Wong's similar [presentation](https://www.youtube.com/watch?v=dY8IuQ8rUd4) +and [this presentation](https://www.youtube.com/watch?v=-XI2DL2Uulo) by J. Rose and R. Sulatycki. +These among several writeups by private companies all offering their own version of what could be measured. + +Projects such as the [ELK stack](https://www.elastic.co/elastic-stack), [Grafana](https://grafana.com/) +and [Prometheus](https://prometheus.io/docs/introduction/overview/) can be used to aggregate + logging and provide observability. + +However, no matter the WAFs, Logging, and secure configuration enforced +at this stage, incidents will occur eventually. +Incident management is a complicated and high stress process. +To prepare organisations for this, SAMM includes a section on [incident management](https://owaspsamm.org/model/operations/incident-management/) involving simple questions for stakeholders to answer so you can determine incident preparedness accurately. + +**Example High Maturity scenario:** + +Logging from all components gets aggregated in dashboards and alerts +are raised based on several Thresholds and events. +There are canary values and events fired against monitoring +from time to time to validate it works. + diff --git a/src/assets/YAML/generated/sample.yaml b/src/assets/YAML/generated/sample.yaml index 400760760..0aa769cca 100644 --- a/src/assets/YAML/generated/sample.yaml +++ b/src/assets/YAML/generated/sample.yaml @@ -1382,7 +1382,7 @@ Culture and Organization: samm2: - V-ST-1-B iso27001-2017: [] - isImplemented: false + isImplemented: true evidence: "" comments: "" Security consulting on request: