Editorial improvements, add vault.

Author: ioggstream

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -20,10 +20,10 @@ Build and Deployment:
         samm2:
         - TODO
         iso27001-2017:
-        - 17.2.1
-        - 12.1.1
-        - 12.1.2
-        - 12.1.4
+        - 17.2.1  # Availability of information processing facilities
+        - 12.1.1  # Documented operational procedures
+        - 12.1.2  # Change management
+        - 12.1.4  # Separation of development,testing and operational environments
         - 12.5.1
         - 14.2.9
       isImplemented: false
@@ -50,9 +50,13 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Defined deployment process:
-      risk: Deployments without a defined process are error prone thus allowing old
-        or untested artifact to be deployed.
-      measure: A defined deployment process ensures that .
+      risk: >-
+        Deployment of insecure or malfunctioning artifacts.
+      measure: >-
+        Defining a deployment process ensures that there are
+        established criteria in terms of functionalities,
+        security, compliance, and performance,
+        and that the artifacts meet them.
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -74,21 +78,23 @@ Build and Deployment:
       evidence: ""
       comments: ""
     Environment depending configuration parameters (secrets):
-      risk: '- Parameters are often used to set credentials, for example by starting
-        containers or applications; these parameters can often be seen by any one
-        listing running processes on the target system.'
-      measure: |
-        Configuration parameters are set for each environment not in the source code.
-        By using encryption, it is harder to read credentials,
-        e.g. from the file system.
-        Also, the usage of a credential management system can help protect credentials.
+      risk: >-
+        Unauthorized access to secrets stored in source code
+        or in artifacts (e.g. container images)
+        through process listing (e.g. ps -ef).
+      measure: >-
+        Set configuration parameters via environment variables 
+        stored using specific platform functionalities
+        or secrets management systems
+        (e.g. Kubernetes secrets or Hashicorp Vault).
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 1
       usefulness: 4
       level: 2
-      implementation: []
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/hasicorp-vault
       references:
         samm2:
         - I-SD-1-B
@@ -102,8 +108,10 @@ Build and Deployment:
       risk: '- Parameters are often used to set credentials, for example by starting
         containers or applications; these parameters can often be seen by any one
         listing running processes on the target system.'
-      measure: By using encryption, it is harder to read credentials , e.g. from the
-        file system. Also, the usage of a credential management system can help protect
+      measure: >-
+        Encryption ensures confidentiality of credentials
+        e.g. from unauthorized access on the file system.
+        Also, the usage of a credential management system can help protect
         credentials.
       difficultyOfImplementation:
         knowledge: 2

src/assets/YAML/default/Implementation/DevelopmentAndSourceControl.yaml

@@ -2,9 +2,9 @@
 Implementation:
   Development and Source Control:
     Local development linting & style checks performed:
-      risk: Creating and developing code that contains code smells and quality issues.
-      measure: "Integration of quality and linting plugins with interactive development
-        environment (IDEs)."
+      risk: Insecure or unmaintenable code base.
+      measure: >-
+        Integrate static code analysis tools in IDEs.
       difficultyOfImplementation:
         knowledge: 1
         time: 1
@@ -95,4 +95,32 @@ Implementation:
       isImplemented: false
       evidence: ""
       comments: ""
+    MFA to SCM:
+      risk: Unauthorized access to source code.
+      measure: >-
+        Enforce Multi-Factor authentication to source code management platforms.
+        These policies can be implemented at repository level or organization level,
+        depending on the source code management system.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 1
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/yubikey
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/totp
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/smartcard
+      references:
+        samm2:
+        - O-EM-1-A
+        iso27001-2017:
+        - 5.17    # Authentication information
+        - 6.1.2   # Segregation of duties.
+        - 14.2.1  # Secure development policies.
+        d3f:
+        - Multi-factorAuthentication
+      isImplemented: false
+      evidence: ""
+      comments: ""
 ...

src/assets/YAML/default/implementations.yaml

@@ -447,7 +447,7 @@ implementations:
     url: https://github.com/OWASP/Amass
   k8spurger:
     name: K8sPurger
-    tags: [vulnerability, scanner, dast, infrastrcture]
+    tags: [vulnerability, scanner, dast, infrastructure]
     url: https://github.com/yogeshkk/K8sPurger
     description: |
       Hunt Unused Resources In Kubernetes.
@@ -631,7 +631,13 @@ implementations:
       secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
   K8sPurger:
     name: K8sPurger
-    tags: [vulnerability, scanner, dast, infrastrcture]
+    tags: [vulnerability, scanner, dast, infrastructure]
     url: https://github.com/yogeshkk/K8sPurger
     description: |
-      Hunt Unused Resources In Kubernetes.
+      Hunt Unused Resources In Kubernetes.
+  hashicorp-vault:
+    name: Hashicorp Vault
+    tags: [authentication, authorization, secrets, infrastructure]
+    url: https://github.com/hashicorp/vault
+    description: |
+      A tool for secrets management, encryption as a service, and privileged access management