Fix strings, add malware scan

wurstbrot · wurstbrot · commit 2d9bceb70d71 · 2020-09-10T08:50:27.000+02:00
diff --git a/data/BuildandDeployment.yml b/data/BuildandDeployment.yml
@@ -100,8 +100,8 @@ Deployment:
     samm: OE2-A
     samm2: TODO
     iso27001-2017:
-      - 12.3
-      - 14.2.6
+      - "12.3"
+      - "14.2.6"
   Blue/Green Deployment:
     risk: A new artifacts version can have unknown defects.
     measure: By having multiple production environments, a deployment can be performant
@@ -267,8 +267,8 @@ Deployment:
     level: 3
     samm2: o-incident-management|TODO
     iso27001-2017:
-      - 8.1
-      - 8.2
+      - "8.1"
+      - "8.2"
 Patch Management:
   A patch policy is defined:
     risk: Vulnerabilities in running containers stay for long and might get exploited.
@@ -307,8 +307,8 @@ Patch Management:
     level: 1
     samm2: o-environment-management|B|1
     iso27001-2017:
-      - 12.6.1
-      - 14.2.5
+      - "12.6.1"
+      - "14.2.5"
     implementation:
       - <a href="https://dependabot.com/">dependabot</a>
       - Jenkins
diff --git a/data/CultureandOrg.yml b/data/CultureandOrg.yml
@@ -148,9 +148,9 @@ Education and Guidance:
     level: 4
     iso27001-2017:
       - ware games are not explicitly required in ISO 27001 may be
-      - 7.2.2
-      - 16.1
-      - 16.1.5
+      - "7.2.2"
+      - "16.1"
+      - "16.1.5"
   Reward of good communication:
     risk: Employees are not getting excited about security.
     measure: Good communication and transparency encourages cross-organisational support. Gamification of security is also known to help, examples include T-Shirts, mugs, cups, giftcards and 'High-Fives'.
@@ -178,7 +178,7 @@ Education and Guidance:
     level: 4
     samm: EG2-B
     iso27001-2017:
-      - 7.1.1
+      - "7.1.1"
 Culture and Org.:
   Conduction of advanced threat modelling:
     risk: Inadequate identification of business and technical risks.
diff --git a/data/TestandVerification.yml b/data/TestandVerification.yml
@@ -745,6 +745,9 @@ Static depth for infrastructure:
     level: 3
     implementation:
     samm2: v-security-testing|A|1
+    iso27001-2017:
+      - 12.6.1
+      - 14.2.5
   Check for new image version​:
     risk: When a new version of an image is available, it might fixes security vulnerabilities.
     measure: Check for new images of containers in production.
@@ -755,5 +758,22 @@ Static depth for infrastructure:
     usefulness: 2
     level: 3
     implementation:
-    samm2: v-security-testing|A|2    
+    samm2: v-security-testing|A|2
+    iso27001-2017:
+      - 12.6.1
+      - 14.2.5    
+      - 12.2.1
+  Check for malware in components:
+    risk: Third party components might be compromised by malware. Ether due to the maintainer (e.g. typo squatting of an image name and using the wrong image) or by an attacker on behalf of the maintainer with stolen credentials.
+    measure: Check for malware in components (e.g. container images, VM baseline images, libaries).
+    difficultyOfImplementation:
+      knowledge: 2
+      time: 2
+      resources: 2
+    usefulness: 3
+    level: 3
+    implementation:
+    samm2: v-security-testing|A|2
+    iso27001-2017:
+      - 12.2.1
 ...
