Skip to content

Commit

Permalink
🤖 fmt
Browse files Browse the repository at this point in the history
  • Loading branch information
@wurstbrot
wurstbrot authored Oct 15, 2024
1 parent 09b3e8a commit ca25d85
Show file tree
Hide file tree
Showing 2 changed files with 214 additions and 3 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
# [1.13.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.12.0...v1.13.0) (2024-10-15)


### Features

* add office hours, vuln management tools, epss ([09b3e8a](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/commit/09b3e8a69936aec7b10dbdb293cbe41fc864edfe))

# [1.12.0](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data/compare/v1.11.1...v1.12.0) (2024-09-23)


Expand Down
210 changes: 207 additions & 3 deletions src/assets/YAML/generated/generated.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -943,6 +943,14 @@ Build and Deployment:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
SecObserve:
uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
see-other-actions-e:
uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
name: See other actions, e.g. "Treatment of defects with severity high".
Expand Down Expand Up @@ -1528,6 +1536,21 @@ Build and Deployment:
sprints, and managing software releases. It offers features for creating
and managing tasks, assigning them to team members, and monitoring progress
through customizable workflows and dashboards.
epss:
uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will
be exploited.
cisa-kev:
uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
references:
samm2:
- I-SD-1-B
Expand Down Expand Up @@ -2807,7 +2830,6 @@ Culture and Organization:
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/12c90cc6-3d58-4d9b-82ff-d469d2a0c298
comments: ""
tags:
- none
teamsImplemented:
Expand Down Expand Up @@ -3052,6 +3074,35 @@ Culture and Organization:
Default: false
B: false
C: false
Office Hours:
uuid: 185d5a74-19dc-4422-be07-44ea35226783
risk: Developers and Operations are not in contact with the security team and
therefore do not ask prior implementation of (known or unknown) threats-
measure: As a security team, be open for questions and hints during defined
office hours. x x d
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 3
level: 3
implementation: ~
references:
samm2:
- G-EG-1-A
iso27001-2017:
- 7.2.2
iso27001-2022:
- 6.3
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Education
and Guidance/185d5a74-19dc-4422-be07-44ea35226783
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Regular security training for all:
uuid: 9768f154-357a-4c06-af6f-d66570677c9b
risk: Understanding security is hard.
Expand Down Expand Up @@ -7195,14 +7246,23 @@ Test and Verification:
risk: Maintenance of false positives in each tool enforces a high workload.
In addition a correlation of the same finding from different tools is not
possible.
measure: Aggregation of vulnerabilities in one tool reduce the workload to mark
false positives.
measure: Aggregation of vulnerabilities in one tool reduce the workload to handle
them, e.g. mark as false positives.
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 2
usefulness: 2
dependsOn:
- f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
- 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87
- 185d5a74-19dc-4422-be07-44ea35226783
level: 3
description: "For known vulnerabilities a processes to estimate the exploit
ability of a vulnerability is recommended.\n\nTo implement a security culture
including training, office hours and security champions can help integrating
\nsecurity scanning at scale. Such activities help to understand why a vulnerability
is potentially critical and needs handling."
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
Expand All @@ -7219,6 +7279,13 @@ Test and Verification:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
- uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
references:
samm2:
- I-DM-1-B
Expand Down Expand Up @@ -8009,6 +8076,14 @@ Test and Verification:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
SecObserve:
uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
see-other-actions-e:
uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
name: See other actions, e.g. "Treatment of defects with severity high".
Expand Down Expand Up @@ -8594,6 +8669,21 @@ Test and Verification:
sprints, and managing software releases. It offers features for creating
and managing tasks, assigning them to team members, and monitoring progress
through customizable workflows and dashboards.
epss:
uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will
be exploited.
cisa-kev:
uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
- argocd:
uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f
name: argoCD
Expand Down Expand Up @@ -9120,6 +9210,14 @@ Test and Verification:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
SecObserve:
uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
see-other-actions-e:
uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
name: See other actions, e.g. "Treatment of defects with severity high".
Expand Down Expand Up @@ -9705,6 +9803,21 @@ Test and Verification:
sprints, and managing software releases. It offers features for creating
and managing tasks, assigning them to team members, and monitoring progress
through customizable workflows and dashboards.
epss:
uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will
be exploited.
cisa-kev:
uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
comments: ""
tags:
- none
Expand Down Expand Up @@ -10264,6 +10377,50 @@ Test and Verification:
Default: false
B: false
C: false
Exploit likelihood estimation:
uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
risk: Without proper prioritization, organizations may waste time and effort
on low-risk vulnerabilities while neglecting critical ones.
measure: Estimate the likelihood of exploitation by using data (CISA KEV) from
the past or prediction models (EPSS).
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
level: 3
dependsOn:
- d918cd44-a972-43e9-a974-eff3f4a5dcfe
implementation:
- uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
- uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will be
exploited.
references:
samm2:
- V-ST-2-A
iso27001-2017:
- 12.6.1
iso27001-2022:
- 8.8
openCRE:
- https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static
depth for applications/f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
tags:
- none
teamsImplemented:
Default: false
B: false
C: false
Local development security checks performed:
uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b
risk: Creating and developing code contains code smells and quality issues.
Expand Down Expand Up @@ -10821,6 +10978,14 @@ Test and Verification:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
SecObserve:
uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
see-other-actions-e:
uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
name: See other actions, e.g. "Treatment of defects with severity high".
Expand Down Expand Up @@ -11406,6 +11571,21 @@ Test and Verification:
sprints, and managing software releases. It offers features for creating
and managing tasks, assigning them to team members, and monitoring progress
through customizable workflows and dashboards.
epss:
uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will
be exploited.
cisa-kev:
uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
- uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82
name: DevSecOps control Pre-commit
url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
Expand Down Expand Up @@ -11449,6 +11629,7 @@ Test and Verification:
dependsOn:
- Defined build process
- 2a44b708-734f-4463-b0cb-86dc46344b2f
- f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
implementation:
- uuid: aa54a82c-d628-4d42-9bc8-1aa269cd91c7
name: retire.js
Expand Down Expand Up @@ -12078,6 +12259,14 @@ Test and Verification:
url: https://github.com/faloker/purify/
description: |
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools.
SecObserve:
uuid: d899488c-5799-4df1-a14c-3bb92fec3ac3
name: SecObserve
tags:
- vulnerability management system
url: https://github.com/MaibornWolff/SecObserve
description: |
The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools.
see-other-actions-e:
uuid: 44c08670-78dc-47ee-a4c1-2503ca6b6cf8
name: See other actions, e.g. "Treatment of defects with severity high".
Expand Down Expand Up @@ -12663,6 +12852,21 @@ Test and Verification:
sprints, and managing software releases. It offers features for creating
and managing tasks, assigning them to team members, and monitoring progress
through customizable workflows and dashboards.
epss:
uuid: e39afc58-8195-4600-92c6-11922e3a141b
name: Exploit Prediction Scoring System
tags:
- vulnerability
url: https://www.first.org/epss/
description: Estimates the likelihood that a software vulnerability will
be exploited.
cisa-kev:
uuid: aa507341-9531-42cd-95cf-d7b51af47086
name: Known Exploited Vulnerabilities
tags:
- vulnerability
url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
description: A catalog of vulnerabilities that have been exploited.
references:
samm2:
- V-ST-2-A
Expand Down

0 comments on commit ca25d85

Please sign in to comment.