Add further implementations.

ioggstream · ioggstream · commit 275d411b9810 · 2022-10-21T15:42:34.000+02:00
diff --git a/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/DynamicDepthForApplications.yaml
@@ -2,7 +2,7 @@
 Test and Verification:
   Dynamic depth for applications:
     Coverage analysis:
-      risk: Parts of the service are not still covered.
+      risk: Parts of the service are not still covered by tests.
       measure: Check that there are no missing paths in the application with coverage-tools.
       difficultyOfImplementation:
         knowledge: 4
@@ -12,6 +12,7 @@ Test and Verification:
       level: 4
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-code-pulse
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/coveragepy
       references:
         samm2:
         - V-ST-2-A
@@ -58,6 +59,8 @@ Test and Verification:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/curl
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/openapi
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-zap
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/schemathesis
       dependsOn:
       - Usage of different roles
       references:
@@ -185,7 +188,7 @@ Test and Verification:
       implementation:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/zest
       isImplemented: false
-      evidence: ""
+      evidence: "For REST APIs, multiple OAuth2 scopes are used."
       comments: ""
     Usage of multiple scanners:
       risk: Each vulnerability scanner has different opportunities. By using just
diff --git a/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml b/src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml
@@ -1,7 +1,7 @@
 ---
 Test and Verification:
   Static depth for applications:
-    Exclusion of source code duplicates:
+    Exclusion of source code duplicates: &Exclusion-of-source-code-duplicates
       risk: Duplicates in source code might influence the stability of the application.
       measure: Automatic Detection and manual removal of duplicates in source code.
       difficultyOfImplementation:
@@ -24,6 +24,11 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
+    Dead code elimination:
+      <<: *Exclusion-of-source-code-duplicates
+      risk: Dead code increases the attack surface (use of hard coded credentials and
+        variables, sensitive information)
+      measure: Collection of unused code and then manual removal of unused code.
     Local development security checks performed:
       risk: Creating and developing code contains code smells and quality issues.
       measure: |
@@ -38,6 +43,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/fortify-vscode-extension
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/checkmarx-vscode-extension
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/appscan-vscode-extension
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pre-commit
       references:
         samm2:
         - V-ST-A-1-1
@@ -47,6 +53,31 @@ Test and Verification:
       isImplemented: false
       evidence: ""
       comments: ""
+    API design validation:
+      risk: Creation of insecure or non-compliant API.
+      measure: |
+        Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP
+        and validate the specification using specific tools.
+        Checks should be integrated in IDEs and CI/CD pipelines.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 2
+      usefulness: 4
+      level: 2
+      implementation:
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stoplight-spectral
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/api-oas-checker
+      references:
+        samm2:
+        - V-ST-1-A
+        iso27001-2017:
+        - 8.25  # Secure development lifecycle
+        - 8.27  # Secure system architecture and engineering principles
+        - 8.28  # Secure coding
+      isImplemented: false
+      evidence: ""
+      comments: ""
     Static analysis for all components/libraries:
       risk: Used components like libraries and legacy applications might have vulnerabilities
       measure: Usage of a static analysis for all used components.
@@ -155,9 +186,9 @@ Test and Verification:
       evidence: ""
       comments: ""
     Stylistic analysis:
-      risk: False source code indenting might lead to vulnerabilities.
+      risk: Unclear or obfuscated code might have unexpected behavior.
       measure: Analysis of compliance to style guides of the source code ensures that
-        source code indenting rules are met.
+        source code formatting rules are met (e.g. indentation, loops, ...).
       difficultyOfImplementation:
         knowledge: 1
         time: 1
@@ -168,6 +199,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/pmd
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/stylecop
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sonarqube
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-super-linter
       references:
         samm2:
         - V-ST-2-A
@@ -193,6 +225,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
       references:
         samm2:
         - V-ST-2-A
@@ -218,6 +251,7 @@ Test and Verification:
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/retire-js
       - $ref: src/assets/YAML/default/implementations.yaml#/implementations/npm-audit
+      - $ref: src/assets/YAML/default/implementations.yaml#/implementations/github-dependabot
       references:
         samm2:
         - V-ST-2-A
diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml
@@ -654,4 +654,28 @@ implementations:
     url: https://github.com/italia/api-oas-checker
     description: |
       A tool to check OpenAPI specifications using a comprehensive ruleset based
-      on API best practices.
+      on API best practices.
+  coveragepy:
+    name: Coverage.py
+    tags: [testing, coverage]
+    url: https://github.com/nedbat/coveragepy
+    description: |
+      Code coverage measurement for Python
+  github-dependabot:
+    name: Dependabot
+    tags: [dependency, dependency-management, scm]
+    url: https://github.com/dependabot/dependabot-core
+    description: |
+      Dependabot creates pull requests to keep your dependencies secure and up-to-date.
+  github-super-linter:
+    name: Super-Linter
+    tags: [linting, scm]
+    url: https://github.com/github/super-linter
+    description: |
+      Lint code bases to catch common errors and enforce code style
+  schemathesis:
+    name: Schemathesis
+    tags: [testing, api, documentation]
+    url: https://github.com/schemathesis/schemathesis
+    description: |
+      Schemathesis is a tool for testing web applications and services by sending requests based on the Open API / Swagger schema.
