Add application hardening

Author: wurstbrot

assets/images/Infrastructure.png renamed to assets/images/Hardening.png

@@ -10,10 +10,11 @@ function readYaml($file) {
 }
 
 $dimensions = array(
+    "Application" => readYaml("data/Application.yml"),
     "Culture and Org." => readYaml("data/CultureAndOrg.yml"),
     "Build and Deployment" => readYaml("data/BuildAndDeployment.yml"),
     "Information Gathering" => readYaml("data/InformationGathering.yml"),
-    "Infrastructure" => readYaml("data/Infrastructure.yml"),
+    "Hardening" => readYaml("data/Hardening.yml"),
     "Test and Verification" => readYaml("data/TestAndVerification.yml"),
 );
 

data-yml.php

@@ -10,10 +10,11 @@ function readYaml($file) {
 }
 
 $dimensions = array(
+    "Application" => readYaml("data/Application.yml"),
     "Culture and Org." => readYaml("data/CultureandOrg.yml"),
     "Build and Deployment" => readYaml("data/BuildandDeployment.yml"),
     "Information Gathering" => readYaml("data/Informationgathering.yml"),
-    "Infrastructure" => readYaml("data/Infrastructure.yml"),
+    "Hardening" => readYaml("data/Hardening.yml"),
     "Test and Verification" => readYaml("data/TestandVerification.yml")
 );
 

data.php

@@ -63,7 +63,7 @@ Infrastructure Hardening:
     iso27001-2017:
       - virtual environments are not explicitly covered by ISO 27001 - too specific
       - 13.1.3
-  Filter for outcoing traffic:
+  Filter outcoing traffic:
     risk: A compromised infrastructure component might try to send out stolen data.
     measure: Having a whitelist and explizitly allowing egress traffic provides the ability to stop unauthorized data leackage.
     difficultyOfImplementation:
@@ -284,4 +284,72 @@ Infrastructure Hardening:
       - 12.1.3
       - 13.1.3
       - 17.2.1
+Application Hardening:
+  Application Hardening Level 1:
+    risk: Using an insecure application might lead to a compromised application. This might lead to total data theft or data modification.
+    measure: |
+      Following frameworks like the
+        <ul>
+          <li>OWASP Application Security Verification Standard Level 1</li>
+          <li>OWASP Mobile Application Security Verification Standard Level 1</li>
+        </ul>
+
+      in all applications provides a good baseline.
+    difficultyOfImplementation:
+      knowledge: 4
+      time: 4
+      resources: 2
+    usefulness: 4
+    level: 1
+    implementation:
+      - <a href='https://owasp.org/www-project-application-security-verification-standard/'>OWASP ASVS</a>
+      - <a href="https://github.com/OWASP/owasp-masvs">OWASP MASVS</a>
+    samm2: software-requirements|A|1
+    iso27001-2017:
+      - hardening is not explicitly covered by ISO 27001 - too specific
+      - 13.1.3
+
+  Application Hardening Level 2:
+    risk: Using an insecure application might lead to a compromised application. This might lead to total data theft or data modification.
+    measure: |
+      Following frameworks like the
+        <ul>
+          <li>OWASP Application Security Verification Standard Level 2</li>
+          <li>OWASP Mobile Application Security Verification Standard Level 2</li>
+        </ul>
+    difficultyOfImplementation:
+      knowledge: 4
+      time: 4
+      resources: 2
+    usefulness: 4
+    level: 2
+    implementation:
+      - <a href='https://owasp.org/www-project-application-security-verification-standard/'>OWASP ASVS</a>
+      - <a href="https://github.com/OWASP/owasp-masvs">OWASP MASVS</a>
+    samm2: software-requirements|A|2
+    iso27001-2017:
+      - hardening is not explicitly covered by ISO 27001 - too specific
+      - 13.1.3
+
+  Application Hardening Level 3:
+    risk: Using an insecure application might lead to a compromised application. This might lead to total data theft or data modification.
+    measure: |
+      Following frameworks like the
+        <ul>
+          <li>OWASP Application Security Verification Standard Level 3</li>
+          <li>OWASP Mobile Application Security Verification Standard Maturity Requirements</li>
+        </ul>
+    difficultyOfImplementation:
+      knowledge: 4
+      time: 4
+      resources: 2
+    usefulness: 4
+    level: 4
+    implementation:
+      - <a href='https://owasp.org/www-project-application-security-verification-standard/'>OWASP ASVS</a>
+      - <a href="https://github.com/OWASP/owasp-masvs">OWASP MASVS</a>
+    samm2: software-requirements|A|3
+    iso27001-2017:
+      - hardening is not explicitly covered by ISO 27001 - too specific
+      - 13.1.3
 ...

data/Infrastructure.yml renamed to data/Hardening.yml

@@ -32,7 +32,8 @@ Monitoring:
       - 12.6.1
   Alerting:
     risk: Incidents are discovered after they happend.
-    measure: Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically.
+    measure: |
+      Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically.
     difficultyOfImplementation:
       knowledge: 2
       time: 5
@@ -79,7 +80,9 @@ Monitoring:
       - 12.1.3
   Defence metrics:
     risk: IDS/IPS systems like packet- or application-firewalls detect and prevent attacks. It is not known how many attacks has been detected and blocked.
-    measure: Gathering of defence metrics like TCP/UDP sources enables to assume the geographic location of the request.
+    measure: |
+      Gathering of defence metrics like TCP/UDP sources enables to assume the geographic location of the request.
+      Assuming a Kubernetes cluster with an egress-traffic filter (e.g. IP/domain based), an alert might be send out in case of every violation. For ingress-traffic, alerting might not even be considered.
     difficultyOfImplementation:
       knowledge: 3
       time: 5
@@ -88,6 +91,7 @@ Monitoring:
     level: 4
     dependsOn:
     - Visualized metrics
+    - Filter outcoing traffic
     samm2: o-incident-management|A|2
     iso27001-2017:
       - 12.4.1

data/Informationgathering.yml

@@ -14,10 +14,10 @@ function loadDiagramm() {
                 });
             });
         });
-        var countSubdimensions = 16;
+        var countSubdimensions = 17;
         var chart = circularHeatChart()
-            .segmentHeight(50)
-            .innerRadius(190)
+            .segmentHeight(40)
+            .innerRadius(170)
             .numSegments(countSubdimensions)
             .radialLabels(["Maturity 1", "Maturity 2", "Maturity 3", "Maturity 4"])
             .segmentLabels(labels)
@@ -33,5 +33,15 @@ function loadDiagramm() {
     $('html,body').scrollTop(0);
 }
 function replaceSubdimensionName(name) {
-    return name.replace("for applications", "app").replace("Hardening", "Hard.").replace("Guidance", "Guid.").replace("for infrastructure", "infra")
+    return name
+        .replace("for applications", "app")
+        .replace("Hardening", "Hard.")
+        .replace("Guidance", "Guid.")
+        .replace("for infrastructure", "infra")
+        .replace("Dynamic", "Dyn.")
+        .replace("Infrastructure", "Infra.")
+        .replace("Application", "App.")
+        .replace("Education", "Edu.")
+        .replace("Management", "Education.")
+        ;
 }