Merge pull request #91 from james-ahearn/feat/devAndsource-control

Feat/dev andsource control

Author: wurstbrot

data/dimensions-subdimensions-activities/CultureAndOrganization/Process.yaml

@@ -1,22 +1,5 @@
 Culture and Organization:
   Process:
-    Source Control Protection:
-      risk: Unaproved code in important branches like master.
-      measure: Enabled protections on the source code management system preventing commited directly to an important branch.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 1
-        resources: 2
-      usefulness: 4
-      level: 1
-      iso27001-2017:
-        - peer review - four eyes principle is not explicitly required by ISO 27001
-        - 6.1.2
-        - 14.2.1
-      implementation:
-      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/azuredevops
-      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/github-policies
-      samm2: O-EM-1-C
     Definition of simple BCDR practices for critical components:
       risk:
       - In case of an emergency, like a power outage, DR actions to perform are not

data/dimensions-subdimensions-activities/Implementation/DevelopmentAndSourceControl

@@ -0,0 +1,78 @@
+Implementation:
+  Development & Source Control:
+    Local development linting & style checks performed:
+      risk:
+      - Creating and developing code that contains code smells and quality issues. 
+      measure: |
+        Integration of quality and linting plugins with interactive development environment (IDEs). 
+      difficultyOfImplementation:
+        knowledge: 1
+        time: 1
+        resources: 1
+      usefulness: 2
+      level: 1
+      md-description: |
+        
+      implementation:
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/stylecop
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/sonarqube
+      samm2: V-ST-A-1-1
+      iso27001-2017:
+       
+    Local development security checks performed:
+      risk:
+      - Creating and developing code contains code smells and quality issues. 
+      measure: |
+        Integration of quality and linting plugins with interactive development environment (IDEs). 
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 1
+      usefulness: 4
+      level: 2
+      md-description: |
+        
+      implementation:
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/fortify-vscode-extension
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/checkmarx-vscode-extension
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/appscan-vscode-extension
+      samm2: V-ST-A-1-1
+      iso27001-2017:
+      - hardening is not explicitly covered by ISO 27001 - too specific
+      - 13.1.3
+  
+    Source Control Protection:
+      risk: Unapproved code in important branches like master.
+      measure: Enabled protections on the source code management system preventing committed directly to an important branch.
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 1
+      iso27001-2017:
+        - peer review - four eyes principle is not explicitly required by ISO 27001
+        - 6.1.2
+        - 14.2.1
+      implementation:
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/azuredevops
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/github-policies
+      samm2: O-EM-1-C
+    Pre-Commit checks & validations:
+      risk:
+      - Using an insecure application might lead to a compromised application. This
+        might lead to total data theft or data modification.
+      measure: |
+        Implement pre-commit validations to prevent secrets & other security issues being commit to source code.
+      difficultyOfImplementation:
+        knowledge: 4
+        time: 4
+        resources: 2
+      usefulness: 4
+      level: 2
+      implementation:
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/pre-commit-microsoft
+      - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/pre-commit-synopsis
+      samm2: V-ST-A-1-1
+      iso27001-2017:
+  

data/dimensions-subdimensions-activities/implementations.yaml

@@ -518,3 +518,31 @@ implementations:
     name: About protected branches
     url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
     tags: [source-code-protection, scm]
+  sonarqube:
+    name: In-Depth Linting of Your TypeScript While Coding
+    url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
+    tags: [ide, linting]
+  stylecop:
+    name: How to enforce a consistent coding style in your projects
+    url: https://www.meziantou.net/how-to-enforce-a-consistent-coding-style-in-your-projects.htm
+    tags: [ide, linting]
+  fortify-vscode-extension:
+    name: Fortify Extension for Visual Studio Code
+    url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
+    tags: [ide, sast]
+  appscan-vscode-extension:
+    name: HCL AppScan CodeSweep
+    url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
+    tags: [ide, sast]
+  checkmarx-vscode-extension:
+    name: Setting Up the Visual Studio Code Extension Plugin
+    url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
+    tags: [ide, sast]
+  pre-commit-microsoft:
+    name: DevSecOps control Pre-commit
+    url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
+    tags: [pre-commit]
+  pre-commit-synopsis:
+    name: Building your DevSecOps pipeline 5 essential activities
+    url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/
+    tags: [pre-commit]