diff --git a/src/app/app.component.css b/src/app/app.component.css
index 0a466282..d9d39268 100644
--- a/src/app/app.component.css
+++ b/src/app/app.component.css
@@ -1,3 +1,10 @@
+:host {
+ display: flex;
+ flex-direction: column;
+ height: 100vh;
+ overflow: hidden;
+}
+
.navbar {
position: sticky;
top: 0;
@@ -7,7 +14,14 @@
align-items: center;
height: 64px;
transition: all 0.25s ease;
+ flex-shrink: 0;
}
+
+.sidenav-container {
+ flex: 1;
+ overflow: hidden;
+}
+
.logo {
display: flex;
align-items: center;
@@ -16,6 +30,7 @@
margin-left: -4px;
height: 100%;
}
+
.logo-icon {
transform: scale(0.95);
transform-origin: left center;
@@ -35,35 +50,37 @@
margin-top: 4px;
gap: 3px;
}
+
.tag-title {
font-size: 0.85em;
font-weight: 500;
line-height: 1;
letter-spacing: 0.04em;
}
+
.tag-subtitle {
font-size: 0.65em;
margin-top: 0;
letter-spacing: 0.08em;
opacity: 0.6;
}
-.github-fork-ribbon::before {
- background-color: #333;
-}
+
.menu-btn {
margin-right: 4px;
transition: all 0.2s ease;
}
+
.menu-btn:hover {
background: rgba(0,0,0,0.04);
transform: scale(1.05);
}
-.spacer {
- flex: 1 1 auto;
-}
+
.content {
padding: 24px;
animation: fadeSlide 1s ease;
+ height: 100%;
+ box-sizing: border-box;
+ overflow-y: auto;
}
@keyframes fadeSlide {
from {
@@ -85,9 +102,6 @@
.tag-subtitle {
font-size: 11px;
}
- .github-fork-ribbon {
- display: none;
- }
.logo,
.logo-icon {
opacity: 0;
diff --git a/src/app/app.component.html b/src/app/app.component.html
index e97f7444..3cbe51e5 100644
--- a/src/app/app.component.html
+++ b/src/app/app.component.html
@@ -16,7 +16,6 @@
-
diff --git a/src/assets/YAML/default/model.yaml b/src/assets/YAML/default/model.yaml
index e1959ecc..3a1bf4e6 100644
--- a/src/assets/YAML/default/model.yaml
+++ b/src/assets/YAML/default/model.yaml
@@ -1,35 +1,48 @@
---
meta:
- version: 1.25.0
- released: "2025-12-15"
+ version: 4.1.0
+ released: "2026-01-28"
publisher: https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel-data
---
Build and Deployment:
Build:
Defined build process:
uuid: f6f7737f-25a9-4317-8de2-09bf59f29b5b
- description: "A *build process* include more than just compiling your source
- code. \nIt also includes steps such as managing (third party) dependencies,
- \nenvironment configuration, running the unit tests, etc. \n\nA *defined build
- process* has automated these steps to ensure consistency.\n\nThis can be done
- with a Jenkinsfile, Maven, or similar tools.\n"
- risk: Performing builds without a defined process is error prone; for example,
- as a result of incorrect security related configuration.
- measure: A well defined build process lowers the possibility of errors during
- the build process.
+ description: |
+ A *build process* includes more than just compiling your source code. It also covers:
+ - Managing (third party) dependencies
+ - Environment configuration
+ - Running unit and integration tests
+ - Security scanning and compliance checks
+ - Artifact creation and storage
+ - Deployment preparation
+
+ Basing the build process on human memory may lead to inconsistencies and security misconfigurations.
+
+ A *defined build process* can automate these steps to ensure consistency, avoiding accidental omissions or misconfigurations. Use tools such as Jenkins, GitHub Actions, GitLab CI, or Maven to codify the process.
+
+ A simplified, but still a *defined build process*, may be a checklist of the steps to be performed.
+ risk: Without a defined and automated build process the risk increase for accidental
+ mistakes, forgetting test activities, and insecure misconfigurations.
+ measure: Find a tool that suits your environment. Add your manual build steps,
+ include steps for running tests, scanning and preparation for deployment.
+ assessment: |
+ - Show your build pipeline configuration (e.g., Jenkinsfile, GitHub Actions workflow) and an exemplary job (build + test + security scan).
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 2
usefulness: 4
- level: 1
- assessment: |
- - Show your build pipeline and an exemplary job (build + test).
- - Show that every team member has access.
- - Show that failed jobs are fixed.
-
- Credits: AppSecure-nrw [Security Belts](https://github.com/AppSecure-nrw/security-belts/)
implementation:
+ - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971
+ name: Jenkins
+ tags: []
+ url: https://www.jenkins.io/
+ - uuid: eb6de6b9-e060-4902-ae6f-604ffc386b63
+ name: Maven
+ tags: []
+ url: https://maven.apache.org/
- uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
name: CI/CD tools
tags:
@@ -179,7 +192,17 @@ Build and Deployment:
resources: 3
usefulness: 3
level: 2
- implementation: []
+ implementation:
+ - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
+ name: Trivy
+ tags: []
+ url: https://github.com/aquasecurity/trivy
+ - uuid: 7543a6f2-3850-47a9-bb2f-0987e2af6f6a
+ name: Syft
+ tags:
+ - sbom
+ - dependency
+ url: https://github.com/anchore/syft
references:
samm2:
- I-SB-B-1
@@ -193,10 +216,12 @@ Build and Deployment:
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Build/subsection/SBOM%20of%20components
isImplemented: false
+ tags:
+ - inventory
+ - scanning
+ - sca
evidence: ""
comments: ""
- tags:
- - none
Signing of code:
uuid: 9f107927-61e9-4574-85ad-3f2b4bca8665
risk: Execution or usage of malicious code or data e.g. via executables, libraries
@@ -220,7 +245,7 @@ Build and Deployment:
name: Enforcement of commit signing
tags:
- signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
description: Usage of branch protection rules
dependsOn:
- f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process
@@ -290,20 +315,27 @@ Build and Deployment:
tags:
- none
Deployment:
- Defined deployment process:
- uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
- risk: Deployment of insecure or malfunctioning artifacts.
- measure: Defining a deployment process ensures that there are established criteria
- in terms of functionalities, security, compliance, and performance, and that
- the artifacts meet them.
+ Automated deployment process:
+ uuid: 67e1a9aa-9fbf-4ec5-a2de-400f01960c51
+ description: |
+ An *automated deployment process* implements the defined deployment steps using automation tools, ensuring consistency, auditability, and minimizing the risk of human errors or unauthorized changes.
+ risk: Deployments relying on manual routines increase the risk of errors, insecure
+ configurations, or deploying malfunctioning artifacts.
+ measure: Automating the deployment process enforces predefined criteria for
+ security, compliance, and performance, ensuring reliable artifact delivery.
+ assessment: |
+ - Deployment process is documented and available to relevant staff
+ - All deployment steps are automated
+ - Provide audit logs or evidence of deployments
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 2
- resources: 1
+ resources: 2
usefulness: 4
- level: 1
dependsOn:
- f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process
+ - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
implementation:
- uuid: b4bfead3-5fb6-4dd0-ba44-5da713bd22e4
name: CI/CD tools
@@ -311,10 +343,48 @@ Build and Deployment:
- ci-cd
url: https://martinfowler.com/articles/continuousIntegration.html
description: CI/CD tools such as jenkins, gitlab-ci or github-actions
+ - uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971
+ name: Jenkins
+ tags: []
+ url: https://www.jenkins.io/
- uuid: cc47b2e3-6ee5-4926-af3a-d418ef91c8ba
name: Docker
url: https://github.com/moby/moby
tags: []
+ references:
+ samm2:
+ - I-SD-A-1
+ iso27001-2017:
+ - 12.1.1
+ - 14.2.2
+ iso27001-2022:
+ - 5.37
+ - 8.32
+ openCRE:
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Automated%20deployment%20process
+ tags:
+ - none
+ Defined deployment process:
+ uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
+ description: |
+ A *defined deployment process* is a documented and standardized procedure for releasing software into production, ensuring consistency and reducing the risk of errors.
+ risk: Deployments relying on human memory are prone to errors, making experienced
+ long-ter staff critical.
+ measure: Establish a written deployment process documented in README files,
+ wikis, or implemented as executable scripts and automated steps.
+ assessment: |
+ - Deployment process is documented and available to relevant staff
+ - Logs of deployments are documented and availabe to relevant staff
+ level: 1
+ difficultyOfImplementation:
+ knowledge: 1
+ time: 1
+ resources: 1
+ usefulness: 1
+ dependsOn:
+ - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process
+ - 066084c6-1135-4635-9cc5-9e75c7c5459f # Version control
+ implementation: ~
references:
samm2:
- I-SD-A-1
@@ -326,26 +396,28 @@ Build and Deployment:
- 8.32
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Deployment/subsection/Defined%20deployment%20process
- isImplemented: false
- evidence: ""
- comments: ""
tags:
- none
Inventory of production components:
uuid: 2a44b708-734f-4463-b0cb-86dc46344b2f
+ description: |
+ An inventory of production components is a complete, up-to-date list of all applications running in production. This enables effective vulnerability management, incident response, and compliance. Without it, organizations risk running unmaintained or unauthorized software.
risk: An organization is unaware of components like applications in production.
Not knowing existing applications in production leads to not assessing it.
measure: |-
A documented inventory of components in production exists (gathered manually or automatically). For example a manually created document with applications in production.
In a kubernetes cluster, namespaces can be automatically gathered and documented, e.g. in a JSON in a S3 bucket/git repository, dependency track.
+ assessment: |
+ - Inventory of all production applications with application name, owner, and date of last review
+ - Inventory is accessible to development, security and operations teams
dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
+ - 67e1a9aa-9fbf-4ec5-a2de-400f01960c51 # Automated deployment process
+ level: 1
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 4
- level: 1
implementation:
- uuid: 2210e02b-a856-4da4-8732-5acd77e20fca
name: Backstage
@@ -486,6 +558,8 @@ Build and Deployment:
a signing key.
tags: []
url: https://medium.com/slalom-technology/build-a-kubernetes-dynamic-admission-controller-for-container-registry-whitelisting-b46fe020e22d
+ test-url-expects:
+ - 403
- uuid: 5d8b27ac-286e-47a5-b23f-769eb6d74e4a
name: packj
tags:
@@ -521,7 +595,7 @@ Build and Deployment:
measure: A documented inventory of artifacts in production like container images
exists (gathered manually or automatically).
dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
+ - 67e1a9aa-9fbf-4ec5-a2de-400f01960c51 # Automated deployment process
- 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
difficultyOfImplementation:
knowledge: 2
@@ -675,6 +749,8 @@ Build and Deployment:
tags:
- inventory
- sbom
+ - scanning
+ - sca
Rolling update on deployment:
uuid: 85d52588-f542-4225-a338-20dc22a5508d
risk: While a deployment is performed, the application can not be reached.
@@ -698,7 +774,7 @@ Build and Deployment:
name: rolling update
tags: []
dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
+ - 67e1a9aa-9fbf-4ec5-a2de-400f01960c51 # Automated deployment process
references:
samm2:
- I-SD-A-2
@@ -851,15 +927,23 @@ Build and Deployment:
Patch Management:
A patch policy is defined:
uuid: 99415139-6b50-441b-89e1-0aa59accd43d
- risk: Vulnerabilities in running artifacts stay for long and might get exploited.
- measure: A patch policy for all artifacts (e.g. in images) is defined. How often
- is an image rebuilt?
+ description: |
+ A patch policy defines how and when software components, images, and dependencies are updated. A patch policy ensures that all these artifacts are regularly reviewed and updated, reducing the window of exposure to known threats. The policy should specify the frequency, responsibilities, and documentation requirements for patching.
+ risk: Vulnerabilities in running artifacts may persist for a long time and might
+ be exploited.
+ measure: Define a patch policy for all artifacts (e.g. in images) is defined.
+ How often is an image rebuilt?
+ assessment: |
+ - Patch policy is documented and accessible to relevant staff.
+ - The policy defines patch frequency and responsible roles.
+ - Patch actions and exceptions are logged and reviewed.
+ - Evidence of regular patching and policy review is available.
+ level: 1
difficultyOfImplementation:
knowledge: 3
time: 1
resources: 2
usefulness: 4
- level: 1
implementation: []
references:
samm2:
@@ -881,24 +965,34 @@ Build and Deployment:
- patching
Automated PRs for patches:
uuid: 8ae0b92c-10e0-4602-ba22-7524d6aed488
- risk: Components with known (or unknown) vulnerabilities might stay for long
- and get exploited, even when a patch is available.
- measure: |-
- Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes
- * Applications * Virtualized operating system components (e.g. container images) * Operating Systems * Infrastructure as Code/GitOps (e.g. argocd based on a git repository or terraform)
+ description: |
+ Automated PRs for patches ensure that updates for outdated or vulnerable dependencies are created and proposed without manual intervention. Tools continuously monitor for new versions or security advisories and immediately generate pull requests to update affected components in code, container images, or infrastructure. This process ensures that available patches are quickly visible to developers and can be reviewed and merged with minimal delay, reducing the risk window for known vulnerabilities.
+ risk: |
+ Components with known vulnerabilities might persist for a long time and be exploited, even when a patch is available.
+ measure: |
+ Fast patching of third-party components is needed. The DevOps way is to have an automated pull request for new components. This includes:
+ * Applications
+ * Virtualized operating system components (e.g., container images)
+ * Operating systems
+ * Infrastructure as Code/GitOps (e.g., ArgoCD based on a git repository or Terraform)
+ assessment: |
+ - Automated PR tooling is enabled for all relevant repositories.
+ - PRs are created automatically for outdated or vulnerable dependencies.
+ - PRs are reviewed and merged according to the defined patch policy.
+ - Evidence of automated PRs and patching activity is available.
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 4
- level: 1
implementation:
- uuid: d6292c7d-aab7-43d3-a7c6-1e443b5c1aa4
name: dependabot
tags:
- auto-pr
- patching
- url: https://dependabot.com/
+ url: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide
- uuid: 42ddb49f-48f2-4a3a-b76a-e73104ac6971
name: Jenkins
tags: []
@@ -908,6 +1002,8 @@ Build and Deployment:
tags:
- IaC
url: https://www.terraform.io/
+ test-url-expects:
+ - 308
description: |
Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
@@ -952,7 +1048,7 @@ Build and Deployment:
tags:
- auto-pr
- patching
- url: https://dependabot.com/
+ url: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
name: renovate
tags:
@@ -1032,11 +1128,13 @@ Build and Deployment:
- uuid: be757cb3-63d6-4a63-9c4e-e10b746fd47a
name: Fedora CoreOS
tags: []
- url: https://getfedora.org/coreos
+ url: https://fedoraproject.org/coreos/
- uuid: a92c4f8f-a918-406a-b1e5-70acfc0477bd
name: Distroless or Alpine
tags: []
url: https://itnext.io/which-container-images-to-use-distroless-or-alpine-96e3dab43a22
+ test-url-expects:
+ - 403
references:
samm2:
- I-SB-B-2
@@ -1092,7 +1190,6 @@ Build and Deployment:
- patching
Automated deployment of automated PRs:
uuid: 08f27c26-2c6a-47fe-9458-5e88f188085d
- description: Automated merges of automated created PRs for outdated dependencies.
risk: Even if automated dependencies PRs are merged, they might not be deployed.
This results in vulnerabilities in running artifacts stay for too long and
might get exploited.
@@ -1112,6 +1209,8 @@ Build and Deployment:
tags:
- IaC
url: https://www.terraform.io/
+ test-url-expects:
+ - 308
description: |
Terraform enables infrastructure automation for provisioning, compliance, and management of any cloud, datacenter, and service.
- uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f
@@ -1120,17 +1219,13 @@ Build and Deployment:
- deployment
url: https://argo-cd.readthedocs.io/en/stable/
references:
- samm2:
- - O-EM-B-2
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
+ samm2: []
+ iso27001-2017: []
+ iso27001-2022: []
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Patch%20Management/subsection/Automated%20deployment%20of%20automated%20PRs
- comments: ""
tags:
- - patching
+ - none
Usage of a short maximum lifetime for images:
uuid: 6b96e5a0-ce34-4ea4-a88f-469d3b84546e
description: |-
@@ -1154,7 +1249,7 @@ Build and Deployment:
level: 4
implementation:
- uuid: 1a463242-b480-46f6-a912-b51ec1c1558d
- name: "Sample concept: \n(1"
+ name: Sample concept
tags: []
description: "Sample concept: \n(1) each container has a set lifetime and
is killed / replaced with a new container multiple times a day where you
@@ -1185,16 +1280,62 @@ Culture and Organization:
Design:
Conduction of simple threat modeling on technical level:
uuid: 47419324-e263-415b-815d-e7161b6b905e
+ description: |
+ # OWASP SAMM Description
+ Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
+
+ Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
+
+ At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use.
+
+ Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage.
+
+ Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/
+ # OWASP Project Integration Description
+ There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one.
+
+ A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/).
+
+ OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/).
+
+ There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another.
+
+ > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._
+
+ 
+
+ Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function.
+
+ 
+
+ This practice has the side effect that it trains non-security specialists to think like attackers.
+
+ The outcomes of this stage should help lay the foundation of secure design and considerations.
+
+ **Example Low Maturity Scenario:**
+
+ Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password.
+
+ Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext.
+
+ Frontend serves data over GraphQL as a thin layer between caching system and end user.
+
+ GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes.
+
+ Source: OWASP Project Integration Project
risk: Technical related threats are discovered too late in the development and
deployment process.
- measure: Threat modeling of technical features is performed during the product
- sprint planning.
+ measure: |
+ Perform threat modeling of technical features during product sprint planning using simple checklists and diagrams. Document identified threats and mitigations for new or changed functionality.
+ assessment: |
+ - Evidence of threat modeling activities exists for high-risk applications, including annotated diagrams and documented threats/mitigations.
+ - Activities are performed during sprint planning and involve relevant stakeholders. Outcomes are recorded and accessible for review.
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 3
resources: 1
usefulness: 3
- level: 1
implementation:
- uuid: c0533602-11b7-4838-93cc-a40556398163
name: Whiteboard
@@ -1236,55 +1377,12 @@ Culture and Organization:
url: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
name: Threat Matrix for Storage
- url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
+ url: https://www.microsoft.com/en-US/security/blog/2021/04/08/threat-matrix-for-storage/
tags:
- documentation
- storage
- cluster
- kubernetes
- description: |
- # OWASP SAMM Description
- Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
-
- Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
-
- At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use.
-
- Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team. Once requirements are gathered and analysis is performed, implementation specifics need to be defined. The outcome of this stage is usually a diagram outlining data flows and a general system architecture. This presents an opportunity for both threat modeling and attaching security considerations to every ticket and epic that is the outcome of this stage.
-
- Source: https://owaspsamm.org/model/design/threat-assessment/stream-b/
- # OWASP Project Integration Description
- There is some great advice on threat modeling out there *e.g.* [this](https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/) article or [this](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) one.
-
- A bite sized primer by Adam Shostack himself can be found [here](https://adam.shostack.org/blog/2018/03/threat-modeling-panel-at-appsec-cali-2018/).
-
- OWASP includes a short [article](https://wiki.owasp.org/index.php/Category:Threat_Modeling) on Threat Modeling along with a relevant [Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html). Moreover, if you're following OWASP SAMM, it has a short section on [Threat Assessment](https://owaspsamm.org/model/design/threat-assessment/).
-
- There's a few projects that can help with creating Threat Models at this stage, [PyTM](https://github.com/izar/pytm) is one, [ThreatSpec](https://github.com/threatspec/threatspec) is another.
-
- > Note: _A threat model can be as simple as a data flow diagram with attack vectors on every flow and asset and equivalent remediations. An example can be found below._
-
- 
-
- Last, if the organizations maps Features to Epics, the Security Knowledge Framework (SKF) can be used to facilitate this process by leveraging it's questionnaire function.
-
- 
-
- This practice has the side effect that it trains non-security specialists to think like attackers.
-
- The outcomes of this stage should help lay the foundation of secure design and considerations.
-
- **Example Low Maturity Scenario:**
-
- Following vague feature requirements the design includes caching data to a local unencrypted database with a hardcoded password.
-
- Remote data store access secrets are hardcoded in the configuration files. All communication between backend systems is plaintext.
-
- Frontend serves data over GraphQL as a thin layer between caching system and end user.
-
- GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes.
-
- Source: OWASP Project Integration Project
references:
samm2:
- D-TA-B-2
@@ -1384,10 +1482,11 @@ Culture and Organization:
- uuid: bb5b8988-021b-452a-a914-bd36887b6860
name: Don't Forget EVIL User stories
tags: []
- url: https://www.owasp.org/index.php/Agile_Software_Development
- description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
- and [Practical Security Stories and Security Tasks for Agile Development
- Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
+ url: https://medium.com/serious-scrum/evil-user-storys-story-telling-for-it-security-e4a9ec94193c
+ test-url-expects:
+ - 403
+ description: Do not Forget _Evil_ User Stories and [Practical Security Stories
+ and Security Tasks for Agile Development Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)
dependsOn:
- 47419324-e263-415b-815d-e7161b6b905e # Conduction of simple threat modeling on technical level
- dd5ed7c1-bdbf-400f-b75f-6d3953a1a04e # Creation of threat modeling processes and standards
@@ -1538,7 +1637,7 @@ Culture and Organization:
url: https://github.com/Threagile/threagile
- uuid: 1c56dbea-e067-44e2-8d3b-0a1205a70617
name: Threat Matrix for Storage
- url: https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/
+ url: https://www.microsoft.com/en-US/security/blog/2021/04/08/threat-matrix-for-storage/
tags:
- documentation
- storage
@@ -1582,10 +1681,11 @@ Culture and Organization:
- uuid: bb5b8988-021b-452a-a914-bd36887b6860
name: Don't Forget EVIL User stories
tags: []
- url: https://www.owasp.org/index.php/Agile_Software_Development
- description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
- and [Practical Security Stories and Security Tasks for Agile Development
- Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)'
+ url: https://medium.com/serious-scrum/evil-user-storys-story-telling-for-it-security-e4a9ec94193c
+ test-url-expects:
+ - 403
+ description: Do not Forget _Evil_ User Stories and [Practical Security Stories
+ and Security Tasks for Agile Development Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)
references:
samm2:
- D-TA-B-2
@@ -1612,23 +1712,28 @@ Culture and Organization:
Education and Guidance:
Ad-Hoc Security trainings for software developers:
uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298
- risk: Understanding security is hard and personnel needs to be trained on it.
- Otherwise, flaws like an SQL Injection might be introduced into the software
- which might get exploited.
- measure: Provide security awareness training for all personnel involved in software
- development Ad-Hoc.
+ description: |
+ Ad-hoc security training provides basic awareness of software security risks and best practices to developers and other personnel involved in software development. These trainings are delivered as needed, without a fixed schedule, to address immediate knowledge gaps or respond to emerging threats.
+ risk: |
+ Without any security training, personnel may lack awareness of common software vulnerabilities (such as SQL Injection and vulnerable dependencies), increasing the risk of introducing exploitable flaws into applications.
+ measure: |
+ Provide security awareness training for all personnel involved in software development on an ad-hoc basis, ensuring that relevant topics are covered when new risks or needs are identified.
+ assessment: |
+ - Conduct security training for developers and relevant personnel
+ - Training materials are available
+ - Attendance records are available
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 1
resources: 1
usefulness: 3
- level: 1
implementation:
- uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a
name: OWASP Juice Shop
tags:
- training
- url: https://github.com/bkimminich/juice-shop
+ url: https://github.com/juice-shop/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
@@ -1650,16 +1755,21 @@ Culture and Organization:
- none
Security consulting on request:
uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0
- risk: Not asking a security expert when questions regarding security appear
- might lead to flaws.
- measure: Security consulting to teams is given on request. The security consultants
- can be internal or external.
+ level: 1
+ description: |
+ Security consulting on request allows teams to seek expert advice on security-related questions or challenges as they arise. This support can be provided by internal or external security consultants and helps address specific concerns during software development.
+ risk: |
+ If teams do not consult security experts when questions arise, security flaws may be introduced or remain undetected, increasing the risk of vulnerabilities in the software.
+ measure: |
+ Make security consulting available to teams on request, ensuring that expert advice is accessible when needed to address security concerns during development.
+ assessment: |
+ - Show evidence that an it security expert is available for questions at least quarterly.
+ - Documentation of consultations and resulting actions is available for review.
difficultyOfImplementation:
knowledge: 3
time: 1
resources: 1
usefulness: 3
- level: 1
implementation:
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
name: OWASP Cheatsheet Series
@@ -1755,7 +1865,7 @@ Culture and Organization:
name: OWASP Juice Shop
tags:
- training
- url: https://github.com/bkimminich/juice-shop
+ url: https://github.com/juice-shop/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
@@ -2062,7 +2172,7 @@ Culture and Organization:
name: OWASP Juice Shop
tags:
- training
- url: https://github.com/bkimminich/juice-shop
+ url: https://github.com/juice-shop/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: a8cd9acb-ad22-44d6-b177-1154c65a8529
@@ -2196,7 +2306,7 @@ Culture and Organization:
name: OWASP Juice Shop
tags:
- training
- url: https://github.com/bkimminich/juice-shop
+ url: https://github.com/juice-shop/juice-shop
description: In case you do not have the budget to hire an external security
expert, an option is to use the OWASP JuiceShop on a "hacking Friday"
- uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1
@@ -2259,23 +2369,23 @@ Culture and Organization:
Process:
Definition of simple BCDR practices for critical components:
uuid: c72da779-86cc-45b1-a339-190ce5093171
- description: A _Business Continuity and Disaster Recovery_ (BCDR) is a plan
- and a process that helps a business to return to normal operations if a disaster
- occurs.
- risk: If the disaster recovery actions are not clear, you risk slow reaction
- and remediation delays. This applies to cyber attacks as well as natural emergencies,
- such as a power outage.
- measure: By understanding and documenting a business continuity and disaster
- recovery (BCDR) plan, the overall availability of systems and applications
- is increased. Success factors like responsibilities, Service Level Agreements,
- Recovery Point Objectives, Recovery Time Objectives or Failover must be fully
- documented and understood by the people involved in the recovery.
+ description: |
+ Business Continuity and Disaster Recovery (BCDR) is a plan and a process that enable an organization to quickly restore normal operations after a disruptive event, such as a cyberattack or natural disaster.
+ risk: |
+ If the disaster recovery actions are not clear, you risk slow reaction and remediation delays.
+ This applies to cyber attacks as well as natural emergencies, such as a power outage.
+ measure: |
+ Develop, document, and communicate a BCDR plan for all critical components. The plan must define roles and responsibilities, Service Level Agreements (SLAs), Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), and failover procedures. Ensure all relevant personnel are trained and the plan is reviewed and updated regularly.
+ assessment: "- There is a documented BCDR plan covering all critical components
+ of the application(s).\n- The plan clearly defines responsibilities, SLAs,
+ RPOs, RTOs, and failover steps. \n- Relevant staff are aware of the plan,
+ and evidence of regular review and testing is available.\n"
+ level: 1
difficultyOfImplementation:
knowledge: 4
time: 3
resources: 2
usefulness: 4
- level: 1
implementation: []
references:
samm2:
@@ -2324,6 +2434,8 @@ Culture and Organization:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -2453,12 +2565,20 @@ Implementation:
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
- url: https://github.com/OWASP/owasp-masvs
+ url: https://github.com/OWASP/masvs
- uuid: 596cb528-8981-4723-bcc3-22c261f26114
name: API Security Maturity Model for Authorization
tags:
- api
url: https://curity.io/resources/learn/the-api-security-maturity-model/
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- D-SR-A-2
@@ -2610,12 +2730,20 @@ Implementation:
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
- url: https://github.com/OWASP/owasp-masvs
+ url: https://github.com/OWASP/masvs
- uuid: 596cb528-8981-4723-bcc3-22c261f26114
name: API Security Maturity Model for Authorization
tags:
- api
url: https://curity.io/resources/learn/the-api-security-maturity-model/
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- D-SR-A-3
@@ -2712,7 +2840,15 @@ Implementation:
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
- url: https://github.com/OWASP/owasp-masvs
+ url: https://github.com/OWASP/masvs
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- D-SR-A-3
@@ -2816,7 +2952,7 @@ Implementation:
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
- url: https://github.com/OWASP/owasp-masvs
+ url: https://github.com/OWASP/masvs
references:
samm2:
- D-SR-A-2
@@ -2858,7 +2994,7 @@ Implementation:
- uuid: 7bf90650-a53a-4581-a214-1afd5de3a059
name: OWASP MASVS
tags: []
- url: https://github.com/OWASP/owasp-masvs
+ url: https://github.com/OWASP/masvs
references:
samm2:
- D-SR-A-3
@@ -2875,13 +3011,16 @@ Implementation:
tags:
- none
Development and Source Control:
- Versioning:
+ Version control:
uuid: 066084c6-1135-4635-9cc5-9e75c7c5459f
- risk: Deployment of untracked artifacts.
- description: Use a version control system platform like Github, Gitlab, Bitbucket,
- gittea,... to version your code.
- measure: Version artifacts in order to identify deployed features and issues.
- This includes application and infrastructure code, jenkins configuration,
+ description: |-
+ Use a _version control system_ like Github, Gitlab, Bitbucket, etc to version your source code.
+ Also known as _source control_, _revision control_, or _source code management_.
+ risk: Without version control, it is challenging to track changes, collaborate
+ effectively, and maintain a history of code modifications. Rollback to earlier
+ versions is hard.
+ measure: Version your source code in order to identify deployed features and
+ issues. This includes application and infrastructure code, jenkins configuration,
container and virtual machine images definitions.
difficultyOfImplementation:
knowledge: 3
@@ -2889,8 +3028,6 @@ Implementation:
resources: 3
usefulness: 5
level: 1
- dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
implementation: []
references:
samm2:
@@ -2906,7 +3043,7 @@ Implementation:
- 5.37
- 8.32
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Versioning
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Development%20and%20Source%20Control/subsection/Version%20control
tags:
- none
Require a PR before merging:
@@ -2927,13 +3064,13 @@ Implementation:
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
+ url: https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
tags:
- source-code-protection
- scm
@@ -2973,13 +3110,13 @@ Implementation:
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
+ url: https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
tags:
- source-code-protection
- scm
@@ -3014,13 +3151,13 @@ Implementation:
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
+ url: https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
tags:
- source-code-protection
- scm
@@ -3028,7 +3165,7 @@ Implementation:
name: Enforcement of commit signing
tags:
- signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
description: Usage of branch protection rules
references:
samm2:
@@ -3062,13 +3199,13 @@ Implementation:
implementation:
- uuid: b1b88bc5-5a22-4888-a27b-acce3d9fe29a
name: Improve code quality with branch policies
- url: https://docs.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
+ url: https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops
tags:
- source-code-protection
- scm
- uuid: 99211481-de9c-4358-880e-628366416a27
name: About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
tags:
- source-code-protection
- scm
@@ -3076,7 +3213,7 @@ Implementation:
name: Enforcement of commit signing
tags:
- signing
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
+ url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
description: Usage of branch protection rules
references:
samm2:
@@ -3140,10 +3277,16 @@ Implementation:
- linting
- uuid: aa5ded61-5380-4da6-9474-afc36a397682
name: In-Depth Linting of Your TypeScript While Coding
- url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
+ url: https://medium.com/@elenavilchik/in-depth-linting-of-your-typescript-while-coding-1d084affbf0
+ test-url-expects:
+ - 403
tags:
- ide
- linting
+ - uuid: 6a0948a7-4781-4858-9766-f4303971b28b
+ name: eslint
+ tags: []
+ url: https://eslint.org/
references:
samm2:
- V-ST-A-1
@@ -3205,25 +3348,28 @@ Implementation:
- none
Simple access control for systems:
uuid: 82e499d1-f463-4a4b-be90-68812a874af6
- risk: Attackers a gaining access to internal systems and application interfaces
+ description: Basic access control for internal systems is implemented.
+ risk: Attackers a gaining access to other internal systems and application interfaces
+ is one breach occurs.
measure: All internal systems are using simple authentication
+ assessment: "- Presenting the documentation of the review of all user privileges
+ yearly. \n- Presenting the admin count and validating that there are less
+ than 5 admins per system.\n"
difficultyOfImplementation:
knowledge: 3
time: 3
resources: 3
usefulness: 5
level: 1
- dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
implementation:
- uuid: 41fda224-2980-443c-bfd4-0a1d4b520cb9
name: HTTP-Basic Authentication
tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:WebAuthentication/
+ url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Authentication
- uuid: e506f60b-747b-44b1-8fe8-f67ccd8f290e
name: VPN
tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:VPN/
+ url: https://d3fend.mitre.org/dao/artifact/d3f:VPNServer/
references:
samm2:
- O-EM-A-1
@@ -3375,7 +3521,7 @@ Implementation:
name: Attack Matrix Kubernetes
tags:
- mitre
- url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
+ url: https://www.microsoft.com/en-US/security/blog/2020/04/02/attack-matrix-kubernetes/
description: Attack matrix for kubernetes
- uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
name: Defend the core kubernetes security at every layer
@@ -3779,8 +3925,8 @@ Implementation:
risk: Everyone is able to get unauthorized access to information on systems
or to modify information unauthorized on systems.
measure: The usage of a (role based) access control helps to restrict system
- access to authorized users. And enhancement is to use attribute based access
- control.
+ access to authorized users. And enhancement is to use *attribute based access
+ control*.
difficultyOfImplementation:
knowledge: 2
time: 3
@@ -3795,9 +3941,6 @@ Implementation:
- uuid: cc55cba1-ea0a-466e-99c5-337c9da2b00e
name: Plugins
tags: []
- dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
- - f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process
references:
samm2:
- O-EM-A-2
@@ -3866,7 +4009,7 @@ Implementation:
- uuid: ba6bd46c-2069-4f4d-b26c-7334a7553339
name: authentication
tags: []
- url: https://d3fend.mitre.org/dao/artifact/d3f:Authentication/
+ url: https://d3fend.mitre.org/dao/artifact/d3f:AuthenticationServer/
dependsOn:
- f6f7737f-25a9-4317-8de2-09bf59f29b5b # Defined build process
references:
@@ -3908,7 +4051,15 @@ Implementation:
level: 3
dependsOn:
- e1f37abb-d848-4a3a-b3df-65e91a89dcb7 # Context-aware output encoding
- implementation: []
+ implementation:
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- O-EM-A-1
@@ -3967,7 +4118,7 @@ Implementation:
name: Attack Matrix Kubernetes
tags:
- mitre
- url: https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
+ url: https://www.microsoft.com/en-US/security/blog/2020/04/02/attack-matrix-kubernetes/
description: Attack matrix for kubernetes
- uuid: b7a92886-aec9-4bf4-94c4-07cc191a97af
name: Defend the core kubernetes security at every layer
@@ -4008,7 +4159,7 @@ Implementation:
usefulness: 4
level: 4
dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
+ - 67e1a9aa-9fbf-4ec5-a2de-400f01960c51 # Automated deployment process
- 8b994601-575e-4ea5-b228-accb18c8e514 # Infrastructure as Code
implementation: []
references:
@@ -4092,7 +4243,15 @@ Implementation:
level: 4
dependsOn:
- f0e01814-3b88-4bd0-a3a9-f91db001d20b # WAF baseline
- implementation: []
+ implementation:
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- O-EM-A-2
@@ -4138,7 +4297,15 @@ Implementation:
level: 5
dependsOn:
- f0e01814-3b88-4bd0-a3a9-f91db001d20b-medium # WAF medium
- implementation: []
+ implementation:
+ - uuid: 6150533e-58ca-4b52-a9b2-6226545d9ea0
+ name: Top 5 API Security Myths That Are Crushing Your Business
+ tags:
+ - documentation
+ - waf
+ url: https://thehackernews.com/2022/11/top-5-api-security-myths-that-are.html
+ description: |
+ There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business
references:
samm2:
- O-EM-A-2
@@ -4157,17 +4324,20 @@ Information Gathering:
Logging:
Centralized system logging:
uuid: 4eced38a-7904-4c45-adb0-50b663065540
- risk: Local stored system logs can be unauthorized manipulated by attackers
- or might be corrupt after an incident. In addition, it is hard to perform
- a aggregation of logs.
- measure: By using centralized logging logs are protected against unauthorized
- modification.
+ description: |
+ Centralized system logging involves collecting and storing system logs from multiple sources in a secure, central location. This approach improves log integrity, simplifies monitoring, and enables efficient incident response.
+ risk: |
+ Locally stored system logs can be manipulated by attackers unauthorized or might be corrupt or lost after an incident. In addition, it is hard to perform aggregation of logs.
+ measure: |
+ - Implement a centralized logging solution for all critical systems.
+ - System logs must be stored in a central repository, protected from unauthorized access and modification.
+ - Ensure that log collection is automated and covers all relevant system events.
+ level: 1
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 2
- level: 1
implementation:
- uuid: 79f88310-d63e-471d-8e63-8c77f2281b66
name: rsyslog
@@ -4177,7 +4347,7 @@ Information Gathering:
- logging
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
+ url: https://www.elastic.co/docs/reference/logstash/getting-started-with-logstash
tags:
- tool
- logging
@@ -4252,7 +4422,7 @@ Information Gathering:
implementation:
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
+ url: https://www.elastic.co/docs/reference/logstash/getting-started-with-logstash
tags:
- tool
- logging
@@ -4336,7 +4506,7 @@ Information Gathering:
- uuid: 38fe9d00-df8b-44b6-910d-ca0f02b5c5d3
name: ELK-Stack
tags: []
- url: https://www.elastic.co/elk-stack
+ url: https://www.elastic.co/elastic-stack/
references:
samm2:
- O-IM-A-1
@@ -4405,7 +4575,7 @@ Information Gathering:
- logging
- uuid: 7a8fad2e-d642-4972-8501-74591b23feab
name: logstash
- url: https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
+ url: https://www.elastic.co/docs/reference/logstash/getting-started-with-logstash
tags:
- tool
- logging
@@ -4440,8 +4610,11 @@ Information Gathering:
Monitoring:
Simple application metrics:
uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1
- risk: Attacks on an application are not recognized.
- measure: |-
+ description: |
+ Collecting basic operational data from applications, such as authentication attempts, transaction volumes, and resource usage, will help detect abnormal patterns that may indicate security incidents or system issues.
+ risk: |
+ Without monitoring application metrics, attacks or abnormal behaviors may go undetected, increasing the risk of successful exploitation, data breaches, and delayed incident response.
+ measure: |
Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include:
- Authentication attempts (successful/failed logins)
- Transaction volumes and patterns (e.g. orders, payments)
@@ -4454,12 +4627,14 @@ Information Gathering:
- A security incident (automated bulk purchase bots, credential stuffing attack)
By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response.
+ assessment: |
+ - Basic application metrics are collected and reviewed.
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 5
- level: 1
implementation:
- uuid: ddf221df-3517-42e4-b23d-c1d9a162744c
name: Prometheus
@@ -4479,16 +4654,21 @@ Information Gathering:
- none
Simple budget metrics:
uuid: f08a3219-6941-43ec-8762-4aff739f4664
- risk: Not getting notified about reaching the end of the budget (e.g. due to
- a denial of service) creates unexpected costs.
- measure: Cloud providers often provide insight into budgets. A threshold and
- alarming for the budget is set.
+ description: |
+ Monitoring resource usage and costs to prevent unexpected expenses. This is especially important in cloud environments where resource consumption can quickly exceed planned budgets.
+ risk: |
+ Failure to monitor budget metrics can result in unexpected costs, financial loss, and potential service disruption due to resource exhaustion or denial-of-service attacks.
+ measure: |
+ Set up budget monitoring and alerting for all critical resources. Use provider tools to track spending and configure alerts when thresholds are reached. Implement hard limits where possible to prevent budget overruns.
+ assessment: |
+ - The organization regularly monitors budget metrics
+ - Alerting outside given thresholds are implemented
+ level: 1
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 5
- level: 1
implementation:
- uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
name: collected
@@ -4509,19 +4689,20 @@ Information Gathering:
- none
Simple system metrics:
uuid: 3d1f4c3b-f713-46d9-933a-54a014a26c03
- risk: Without simple metrics analysis of incidents are hard. In case an application
- uses a lot of CPU from time to time, it is hard for a developer to find out
- the source with Linux commands.
- measure: Gathering of system metrics helps to identify incidents and specially
- bottlenecks like in CPU usage, memory usage and hard disk usage.
+ description: |
+ Monitoring basic system performance data, such as CPU, memory, and disk usage, will help identify performance bottlenecks and potential security incidents.
+ risk: |
+ Without monitoring system metrics, it is difficult to detect incidents or performance issues, leading to delayed response, reduced availability, and increased risk of undetected attacks.
+ measure: |
+ Collect and monitor key system metrics, including CPU, memory, and disk usage.
+ assessment: |
+ - Basic system metrics are monitored and reviewed regularly
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 2
usefulness: 5
- assessment: |
- Are system metrics gathered?
- level: 1
implementation:
- uuid: 73f6a52c-4fc2-45dc-991b-d5911b6c1ef8
name: collected
@@ -4832,12 +5013,7 @@ Information Gathering:
level: 4
dependsOn:
- ded39bcf-4eaa-4c5f-9c94-09acde0a4734 # Visualized metrics
- implementation:
- - uuid: 84ef86ea-ada4-4e10-ae4f-a5bb77dcae5d
- name: https://ht.transpare
- tags: []
- url: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD
- description: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf
+ implementation: []
references:
samm2:
- O-IM-A-2
@@ -5087,6 +5263,8 @@ Information Gathering:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -5146,6 +5324,8 @@ Information Gathering:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -5213,6 +5393,8 @@ Information Gathering:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -5292,7 +5474,7 @@ Test and Verification:
name: JUnit
tags:
- unittest
- url: https://junit.org/junit5/
+ url: https://junit.org/
- uuid: fd56720a-ad4b-487c-b4c3-897a688672c4
name: Karma
tags: []
@@ -5354,7 +5536,7 @@ Test and Verification:
level: 4
implementation: []
dependsOn:
- - 74938a3f-1269-49b9-9d0f-c43a79a1985a # Defined deployment process
+ - 67e1a9aa-9fbf-4ec5-a2de-400f01960c51 # Automated deployment process
references:
samm2:
- V-RT-A-3
@@ -5403,9 +5585,17 @@ Test and Verification:
Consolidation:
Simple false positive treatment:
uuid: c1acc8af-312e-4503-a817-a26220c993a0
- risk: As false positive occur during each test, all vulnerabilities might be
- ignored. Specially, if tests are automated an run daily.
- measure: |-
+ description: |
+ Security tests may produce false positives (or _"false alarms"_), findings that are incorrectly identified as vulnerabilities.
+
+ It is important distinguish these from true positive vulnerabilities to avoid wasting time and resources on non-issues.
+
+ False positive treatment ensures that findings from security tests are triaged and documented, allowing teams to distinguish between real vulnerabilities and false positives. This reduces unnecessary work and helps maintain focus on true risks.
+
+ Some positive findings might be considered an _accepted risk_ by the organization. This must also be documented.
+ risk: |
+ If false positives are not managed, teams may ignore all findings, leading to real vulnerabilities being overlooked and increasing the risk of exploitation. Specially, if tests are automated an run daily.
+ measure: |
Findings from security tests must be triaged and outcomes persisted/documented to:
- Prevent re-analysis of known issues in subsequent test runs
- Track accepted risks vs false positives
@@ -5417,12 +5607,14 @@ Test and Verification:
- [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
- [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/)
- [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling](https://docs.defectdojo.com/en/working_with_findings/intro_to_findings/#triage-vulnerabilities-using-finding-status)
+ assessment: |
+ A process is defined for triaging and documenting false positives and accepted risks
+ level: 1
difficultyOfImplementation:
knowledge: 1
time: 1
resources: 1
usefulness: 4
- level: 1
implementation:
- uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb
name: OWASP DefectDojo
@@ -5451,22 +5643,33 @@ Test and Verification:
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Simple%20false%20positive%20treatment
isImplemented: false
+ tags:
+ - false-positive
+ - defect-management
+ - scanning
+ - sca
+ - sats
+ - dast
evidence: ""
comments: ""
- tags:
- - none
- Treatment of defects with severity high or higher:
+ Treatment of defects with high or critical severity:
uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
- risk: Vulnerabilities with severity high or higher are not visible.
- measure: Vulnerabilities with severity high or higher are added to the quality
- gate.
+ description: |
+ All security problems that are rated as "high" or "critical" must be fixed before the software can be released or used in production. This means that if a serious vulnerability is found, it cannot be ignored or postponed.
+ risk: |
+ If serious security problems are not fixed, attackers could exploit them to steal data, disrupt services, or cause other harm. Ignoring these issues puts the organization, its customers, and its reputation at risk.
+ measure: |
+ - Make it a rule that all _high_ or _critical_ security findings must be fixed before the software is approved for release or use.
+ - Track these issues and make sure they are resolved quickly.
+ assessment: |
+ - Provide evidence that vulnerabilities are treated within the defined time frame in production. For example via the DSOMM activity [Number of vulnerabilities/severity](./activity-description?uuid=bc548cba-cb82-4f76-bd4b-325d9d256279) or [Patching mean time to resolution via PR](./activity-description?uuid=86d490b9-d798-4a5b-a011-ab9688014c46) with extra deployment statistics.
+ comments: False positive analysis, specially for static analysis, is time consuming.
+ level: 1
difficultyOfImplementation:
knowledge: 2
time: 2
resources: 1
usefulness: 4
- level: 1
- comments: False positive analysis, specially for static analysis, is time consuming.
references:
samm2:
- I-DM-A-2
@@ -5477,8 +5680,19 @@ Test and Verification:
- 8.8
- 5.25
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20severity%20high%20or%20higher
- implementation: []
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20high%20or%20critical%20severity
+ implementation:
+ - uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
+ name: Trivy
+ tags: []
+ url: https://github.com/aquasecurity/trivy
+ - uuid: 7970af6e-a7d3-4359-a6ea-301d26b16329
+ name: Grype
+ tags:
+ - sbom
+ - dependency
+ - vulnerability
+ url: https://github.com/anchore/grype
tags:
- vuln-action
- defect-management
@@ -5549,6 +5763,10 @@ Test and Verification:
tags:
- false-positive
- defect-management
+ - scanning
+ - sca
+ - sats
+ - dast
Simple visualization of defects:
uuid: 55f4c916-3a34-474d-ad96-9a9f7a4f6a83
risk: The security level of a component is not visible. Therefore, the motivation
@@ -5637,7 +5855,7 @@ Test and Verification:
- The number of network hops required to reach the asset (recommended)
- Authentication requirements for access (recommended)
dependsOn:
- - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher
+ - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with high or critical severity
- 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
implementation: ~
references:
@@ -5866,6 +6084,8 @@ Test and Verification:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -5892,7 +6112,7 @@ Test and Verification:
- vulnerability-mgmt
- metrics
- vmm-measurements
- Treatment of defects with severity middle:
+ Treatment of defects with medium severity:
uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594
risk: Vulnerabilities with severity middle are not visible.
measure: Vulnerabilities with severity middle are added to the quality gate.
@@ -5913,7 +6133,7 @@ Test and Verification:
- 8.8
- 5.25
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20severity%20middle
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Consolidation/subsection/Treatment%20of%20defects%20with%20medium%20severity
implementation: []
tags:
- vuln-action
@@ -6012,6 +6232,8 @@ Test and Verification:
- uuid: 3b99799c-e875-4cc2-aad7-5ce4564a1cde
name: Business friendly vulnerability management metrics
url: https://medium.com/uber-security-privacy/business-friendly-vulnerability-management-metrics-cfd702fd7705
+ test-url-expects:
+ - 403
tags:
- documentation
- vulnerability
@@ -6396,13 +6618,13 @@ Test and Verification:
- uuid: 7063cf8c-cd98-480f-8ef7-11cf241d2366
name: OWASP Code Pulse
tags: []
- url: https://www.owasp.org/index.php/OWASP_Code_Pulse
+ url: https://owasp.org/www-project-code-pulse/
- uuid: f011de6e-ab7c-4ec7-af55-03427271ab32
name: Coverage.py
tags:
- testing
- coverage
- url: https://github.com/nedbat/coveragepy
+ url: https://github.com/coveragepy/coveragepy
description: |
Code coverage measurement for Python
references:
@@ -6482,7 +6704,7 @@ Test and Verification:
- uuid: f085295e-46a3-4c8d-bbc3-1ac6b9dfcf2a
name: OWASP Amass
tags: []
- url: https://github.com/OWASP/Amass
+ url: https://github.com/owasp-amass/amass
references:
samm2:
- V-ST-A-1
@@ -6551,7 +6773,7 @@ Test and Verification:
implementation:
- uuid: 893d9f37-2142-4490-996c-e43b55064d3d
name: kubescape
- url: https://github.com/armosec/kubescape
+ url: https://github.com/kubescape/kubescape
tags:
- kubernetes
- vulnerability
@@ -6637,7 +6859,7 @@ Test and Verification:
name: HTC Hydra
tags:
- password
- url: https://www.htc-cs.com/en/products/htc-hydra/
+ url: https://github.com/vanhauser-thc/thc-hydra
references:
samm2:
- V-ST-A-2
@@ -6725,6 +6947,50 @@ Test and Verification:
tags:
- none
Static depth for applications:
+ Exploit likelihood estimation:
+ uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
+ description: "Severity-based vulnerability triage alone generates a lot false
+ positives, requiring a more refined approach.\n\nUse the likelihood of exploitation
+ by using *known exploited vulnerabilities* (CISA KEV), or prediction models
+ such as \n*Exploit Prediction Scoring System* (EPSS).\n"
+ risk: |
+ Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones.
+ measure: |
+ Use CISA KEV and EPSS to prioritize vulnerabilities that are more likely to be exploited.
+ difficultyOfImplementation:
+ knowledge: 2
+ time: 2
+ resources: 2
+ usefulness: 4
+ level: 2
+ dependsOn:
+ - d918cd44-a972-43e9-a974-eff3f4a5dcfe # Software Composition Analysis (server side)
+ implementation:
+ - uuid: aa507341-9531-42cd-95cf-d7b51af47086
+ name: Known Exploited Vulnerabilities
+ tags:
+ - vulnerability
+ url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+ description: A catalog of vulnerabilities that have been exploited.
+ - uuid: e39afc58-8195-4600-92c6-11922e3a141b
+ name: Exploit Prediction Scoring System
+ tags:
+ - vulnerability
+ url: https://www.first.org/epss/
+ description: Estimates the likelihood that a software vulnerability will be
+ exploited.
+ references:
+ samm2:
+ - V-ST-A-2
+ - I-SB-B-3
+ iso27001-2017:
+ - 12.6.1
+ iso27001-2022:
+ - 8.8
+ openCRE:
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Exploit%20likelihood%20estimation
+ tags:
+ - none
Software Composition Analysis (server side):
uuid: d918cd44-a972-43e9-a974-eff3f4a5dcfe
description: Use a tool like trivy and concentrate on application related vulnerabilities.
@@ -6770,6 +7036,8 @@ Test and Verification:
name: npm audit
tags: []
url: https://docs.npmjs.com/cli/audit
+ test-url-expects:
+ - 301
- uuid: 5c0e817b-204e-4301-a315-2f7cc180c240
name: Dependabot
tags:
@@ -6780,7 +7048,7 @@ Test and Verification:
description: |
Dependabot creates pull requests to keep your dependencies secure and up-to-date.
- uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
- name: https://github.com/aquasecurity/trivy
+ name: Trivy
tags: []
url: https://github.com/aquasecurity/trivy
references:
@@ -6794,7 +7062,12 @@ Test and Verification:
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Software%20Composition%20Analysis%20%28server%20side%29
tags:
- - vmm-testing
+ - false-positive
+ - defect-management
+ - scanning
+ - sca
+ - sats
+ - dast
Test for Time to Patch:
uuid: 13af1227-3dd1-4d4f-a9e9-53deb793c18f
risk: Automatic PRs for dependencies are overlooked resulting in known vulnerabilities
@@ -6814,7 +7087,7 @@ Test and Verification:
tags:
- auto-pr
- patching
- url: https://dependabot.com/
+ url: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide
- uuid: 8228266e-e04f-40ba-94c8-bfadc5310920
name: renovate
tags:
@@ -6936,48 +7209,6 @@ Test and Verification:
- 2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
tags:
- none
- Exploit likelihood estimation:
- uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
- risk: Without proper prioritization, organizations may waste time and effort
- on low-risk vulnerabilities while neglecting critical ones.
- measure: Estimate the likelihood of exploitation by using data (CISA KEV) from
- the past or prediction models (e.g. Exploit Prediction Scoring System, EPSS).
- description: Severity-based vulnerability triage alone generates a lot false
- positives, requiring a more refined approach.
- difficultyOfImplementation:
- knowledge: 2
- time: 2
- resources: 2
- usefulness: 4
- level: 3
- dependsOn:
- - d918cd44-a972-43e9-a974-eff3f4a5dcfe # Software Composition Analysis (server side)
- implementation:
- - uuid: aa507341-9531-42cd-95cf-d7b51af47086
- name: Known Exploited Vulnerabilities
- tags:
- - vulnerability
- url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- description: A catalog of vulnerabilities that have been exploited.
- - uuid: e39afc58-8195-4600-92c6-11922e3a141b
- name: Exploit Prediction Scoring System
- tags:
- - vulnerability
- url: https://www.first.org/epss/
- description: Estimates the likelihood that a software vulnerability will be
- exploited.
- references:
- samm2:
- - V-ST-A-2
- - I-SB-B-3
- iso27001-2017:
- - 12.6.1
- iso27001-2022:
- - 8.8
- openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Exploit%20likelihood%20estimation
- tags:
- - none
Local development security checks performed:
uuid: 6e180abc-7c98-4265-b4e9-852cb91b067b
risk: Creating and developing code contains code smells and quality issues.
@@ -6994,29 +7225,35 @@ Test and Verification:
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
+ test-url-expects:
+ - 404
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
+ test-url-expects:
+ - 302
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
+ test-url-expects:
+ - 404
tags:
- ide
- sast
- uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82
name: DevSecOps control Pre-commit
- url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
+ url: https://learn.microsoft.com/en-us/security/zero-trust/develop/secure-devops-environments-zero-trust
tags:
- pre-commit
- uuid: 8da8d115-0f4e-40f0-a3ce-484a49e845fb
name: Building your DevSecOps pipeline 5 essential activities
- url: https://www.synopsys.com/blogs/software-security/devsecops-pipeline-checklist/
+ url: https://www.blackduck.com/blog/devsecops-pipeline-checklist/
tags:
- pre-commit
references:
@@ -7059,6 +7296,8 @@ Test and Verification:
name: npm audit
tags: []
url: https://docs.npmjs.com/cli/audit
+ test-url-expects:
+ - 301
- uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9
name: Dependency-Track
description: |
@@ -7091,10 +7330,11 @@ Test and Verification:
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20applications/subsection/Software%20Composition%20Analysis%20%28client%20side%29
isImplemented: false
+ tags:
+ - defect-management
+ - sca
evidence: ""
comments: ""
- tags:
- - none
Static analysis for important client side components:
uuid: e237176b-bec5-447d-a926-e37d6dd60e4b
risk: Important parts in the source code of the frontend have vulnerabilities.
@@ -7127,18 +7367,24 @@ Test and Verification:
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
+ test-url-expects:
+ - 404
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
+ test-url-expects:
+ - 302
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
+ test-url-expects:
+ - 404
tags:
- ide
- sast
@@ -7186,18 +7432,24 @@ Test and Verification:
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
+ test-url-expects:
+ - 404
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
+ test-url-expects:
+ - 302
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
+ test-url-expects:
+ - 404
tags:
- ide
- sast
@@ -7286,18 +7538,24 @@ Test and Verification:
- uuid: 5b52a841-c281-45fd-b68f-0a93aa6fa398
name: Fortify Extension for Visual Studio Code
url: https://marketplace.visualstudio.com/items?itemName=fortifyvsts.fortify-extension-for-vs-code
+ test-url-expects:
+ - 404
tags:
- ide
- sast
- uuid: cf1213fd-8bfa-4a97-bf8b-937c93f31005
name: Setting Up the Visual Studio Code Extension Plugin
url: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin
+ test-url-expects:
+ - 302
tags:
- ide
- sast
- uuid: 3f5a493d-12d0-4468-b9fa-c3e4eae89ffb
name: HCL AppScan CodeSweep
url: https://marketplace.visualstudio.com/items?itemName=HCLTechnologies.hclappscancodesweep
+ test-url-expects:
+ - 404
tags:
- ide
- sast
@@ -7470,9 +7728,15 @@ Test and Verification:
tags:
- ide
- linting
+ - uuid: 6a0948a7-4781-4858-9766-f4303971b28b
+ name: eslint
+ tags: []
+ url: https://eslint.org/
- uuid: aa5ded61-5380-4da6-9474-afc36a397682
name: In-Depth Linting of Your TypeScript While Coding
- url: https://blog.sonarsource.com/in-depth-linting-of-your-typescript-while-coding
+ url: https://medium.com/@elenavilchik/in-depth-linting-of-your-typescript-while-coding-1d084affbf0
+ test-url-expects:
+ - 403
tags:
- ide
- linting
@@ -7518,7 +7782,7 @@ Test and Verification:
- uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6
name: truffleHog
tags: []
- url: https://github.com/dxa4481/truffleHog
+ url: https://github.com/trufflesecurity/trufflehog
- uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835
name: go-pillage-registries
tags: []
@@ -7556,7 +7820,7 @@ Test and Verification:
- uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6
name: truffleHog
tags: []
- url: https://github.com/dxa4481/truffleHog
+ url: https://github.com/trufflesecurity/trufflehog
- uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835
name: go-pillage-registries
tags: []
@@ -7628,7 +7892,7 @@ Test and Verification:
usefulness: 2
level: 2
implementation:
- - url: https://github.com/SDA-SE/clusterscanner
+ - url: https://github.com/SDA-SE/cluster-image-scanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
@@ -7673,7 +7937,7 @@ Test and Verification:
name: Dive to inspect a container images
tags: []
url: https://github.com/wagoodman/dive
- - url: https://github.com/SDA-SE/clusterscanner
+ - url: https://github.com/SDA-SE/cluster-image-scanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
@@ -7805,7 +8069,7 @@ Test and Verification:
usefulness: 3
level: 3
implementation:
- - url: https://github.com/SDA-SE/clusterscanner
+ - url: https://github.com/SDA-SE/cluster-image-scanner
uuid: 3c9ac78c-0fd4-43f4-8211-c915f9ef685f
name: ClusterScanner
tags:
@@ -7922,7 +8186,7 @@ Test and Verification:
often too fine-granular.
implementation:
- uuid: 7f500e95-2110-44c4-a1f8-cd7ef5d9eb6b
- name: https://github.com/aquasecurity/trivy
+ name: Trivy
tags: []
url: https://github.com/aquasecurity/trivy
- uuid: 8737c6c0-4e90-400a-bf9a-f8e399913b57
@@ -7952,10 +8216,11 @@ Test and Verification:
openCRE:
- https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Static%20depth%20for%20infrastructure/subsection/Software%20Composition%20Analysis
isImplemented: false
+ tags:
+ - scanning
+ - sca
evidence: ""
comments: ""
- tags:
- - none
Test of infrastructure components for known vulnerabilities:
uuid: 13367d8f-e37f-4197-a610-9ffca4fde261
risk: Infrastructure components might have vulnerabilities.
@@ -8005,7 +8270,7 @@ Test and Verification:
comments: ""
tags:
- none
- Test-Intensity:
+ Test Intensity:
Default settings for intensity:
uuid: ab0a4b51-3b18-43f1-a6fc-a98e4b28453d
risk: Time pressure and ignorance might lead to false predictions for the test
@@ -8030,7 +8295,7 @@ Test and Verification:
- 8.25
- 8.27
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Default%20settings%20for%20intensity
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20Intensity/subsection/Default%20settings%20for%20intensity
isImplemented: false
evidence: ""
comments: ""
@@ -8061,7 +8326,7 @@ Test and Verification:
- 8.32
- 8.29
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Regular%20automated%20tests
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20Intensity/subsection/Regular%20automated%20tests
isImplemented: false
evidence: ""
comments: ""
@@ -8094,7 +8359,7 @@ Test and Verification:
- 8.25
- 8.27
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Deactivating%20of%20unneeded%20tests
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20Intensity/subsection/Deactivating%20of%20unneeded%20tests
isImplemented: false
evidence: ""
comments: ""
@@ -8125,7 +8390,7 @@ Test and Verification:
- 8.25
- 8.27
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/High%20test%20intensity
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20Intensity/subsection/High%20test%20intensity
isImplemented: false
evidence: ""
comments: ""
@@ -8160,10 +8425,10 @@ Test and Verification:
- 8.27
- 8.8
openCRE:
- - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test-Intensity/subsection/Creation%20and%20application%20of%20a%20testing%20concept
+ - https://www.opencre.org/node/standard/DevSecOps%20Maturity%20Model%20%28DSOMM%29/section/Test%20Intensity/subsection/Creation%20and%20application%20of%20a%20testing%20concept
isImplemented: false
evidence: ""
comments: ""
tags:
- none
-...
+...
\ No newline at end of file
diff --git a/src/custom-theme.scss b/src/custom-theme.scss
index 4b14e8f0..f2462628 100644
--- a/src/custom-theme.scss
+++ b/src/custom-theme.scss
@@ -2,62 +2,50 @@
.mat-drawer,
.mat-drawer-container {
- transition: background 300ms
- cubic-bezier(0.25, 0.8, 0.25, 1), box-shadow 280ms
- cubic-bezier(0.4, 0, 0.2, 1);
+ transition: background 300ms cubic-bezier(0.25, 0.8, 0.25, 1), box-shadow 280ms cubic-bezier(0.4, 0, 0.2, 1);
}
// ----------------------------------------------
// Theme Colors and Typography
// ----------------------------------------------
$light-theme: (
- background: white,
- text: black,
- link: blue,
+ background: white,
+ text: black,
+ link: blue,
);
$custom-dark-theme: (
- background: #2c2c2c,
- text: #e0e0e0,
- link: #bb86fc,
+ background: #121212,
+ text: #e0e0e0,
+ link: #66bb6a,
);
-$custom-typography: mat.define-typography-level(
- $font-family: montserrat,
- $font-weight: 400,
- $font-size: 1rem,
- $line-height: 1,
- $letter-spacing: normal
-);
+$custom-typography: mat.define-typography-level($font-family: montserrat,
+ $font-weight: 400,
+ $font-size: 1rem,
+ $line-height: 1,
+ $letter-spacing: normal);
@include mat.core($custom-typography);
// ----------------------------------------------
// Angular Material Palettes
// ----------------------------------------------
-$DSOMM-primary: mat.define-palette(mat.$green-palette, 400);
+$DSOMM-primary: mat.define-palette(mat.$green-palette, 500);
$DSOMM-accent: mat.define-palette(mat.$pink-palette, A200, A100, A400);
$DSOMM-warn: mat.define-palette(mat.$red-palette);
-$DSOMM-dark-primary: mat.define-palette(mat.$green-palette, 600);
+$DSOMM-dark-primary: mat.define-palette(mat.$green-palette, 500);
// ----------------------------------------------
// Angular Material Themes
// ----------------------------------------------
-$DSOMM-light-theme: mat.define-light-theme((
- color: (
- primary: $DSOMM-primary,
- accent: $DSOMM-accent,
- warn: $DSOMM-warn
- )
-));
-
-$DSOMM-dark-theme: mat.define-dark-theme((
- color: (
- primary: $DSOMM-dark-primary,
- accent: $DSOMM-accent,
- warn: $DSOMM-warn
- )
-));
+$DSOMM-light-theme: mat.define-light-theme((color: (primary: $DSOMM-primary,
+ accent: $DSOMM-accent,
+ warn: $DSOMM-warn )));
+
+$DSOMM-dark-theme: mat.define-dark-theme((color: (primary: $DSOMM-dark-primary,
+ accent: $DSOMM-accent,
+ warn: $DSOMM-warn )));
// ----------------------------------------------
// Base Theme Mixin
@@ -69,6 +57,7 @@ $DSOMM-dark-theme: mat.define-dark-theme((
a {
color: map-get($theme, link);
}
+
a:visited {
color: map-get($theme, visited-link);
}
@@ -80,7 +69,12 @@ $DSOMM-dark-theme: mat.define-dark-theme((
body {
.title-button,
- h1, h2, h3, h4, h5, h6 {
+ h1,
+ h2,
+ h3,
+ h4,
+ h5,
+ h6 {
color: map-get($light-theme, text);
}
}
@@ -100,12 +94,12 @@ body {
--heatmap-background: white;
--heatmap-stroke: black;
--heatmap-cursor-hover: #1c8b1c;
- --heatmap-cursor-selected:#3d3d3d;
+ --heatmap-cursor-selected: #3d3d3d;
--dependency-link: #707070;
--dependency-border: #222222;
--dependency-mainnode-fill: #4caf50;
- --dependency-predecessor-fill: #deeedeff;
+ --dependency-predecessor-fill: #deeedeff;
--dependency-successor-fill: #fdfdfdff;
@include mat.all-component-themes($DSOMM-light-theme);
@@ -117,74 +111,248 @@ body {
body.dark-theme {
@include apply-theme($custom-dark-theme);
@include mat.all-component-themes($DSOMM-dark-theme);
-
- --text-primary: #fefefe;
- --text-secondary: #ababab;
- --text-tertiary: #999999;
- --background-primary: #303030;
- --background-secondary: #424242;
- --background-tertiary: #666666;
-
+
+ --surface-base: #121212;
+ /* page background */
+ --surface-01: #1e1e1e;
+ /* cards, panels */
+ --surface-02: #242424;
+ /* elevated cards */
+ --surface-03: #2c2c2c;
+ /* dialogs, dropdowns */
+ --surface-04: #333333;
+ /* hover states */
+ --border-subtle: rgba(255, 255, 255, 0.08);
+ --border-medium: rgba(255, 255, 255, 0.12);
+
+ --text-primary: #f0f0f0;
+ --text-secondary: #aaaaaa;
+ --text-tertiary: #666666;
+ --background-primary: var(--surface-base);
+ --background-secondary: var(--surface-01);
+ --background-tertiary: var(--surface-02);
+
--primary-color: #{mat.get-color-from-palette($DSOMM-dark-primary)};
--heatmap-filled: #007700;
- --heatmap-disabled: #666666;
+ --heatmap-disabled: #555555;
--heatmap-background: #bbbbbb;
--heatmap-stroke: #000000;
--heatmap-cursor-hover: #145e14;
--heatmap-cursor-selected: #232323;
-
+
--dependency-link: #bbbbbb;
--dependency-border: #0e1b0e;
- --dependency-mainnode-fill: rgb(107, 190, 107);
- --dependency-predecessor-fill: rgb(172, 206, 172);
+ --dependency-mainnode-fill: rgb(107, 190, 107);
+ --dependency-predecessor-fill: rgb(172, 206, 172);
--dependency-successor-fill: rgb(192, 192, 192);
+ background-color: var(--surface-base);
+ color: var(--text-primary);
+
.title-button,
- h1, h2, h3, h4, h5, h6 {
+ h1,
+ h2,
+ h3,
+ h4,
+ h5,
+ h6 {
color: map-get($custom-dark-theme, text);
}
// General properties
- p, li, tr {
- color: #e0e0e0;
+ p,
+ li,
+ tr {
+ color: var(--text-primary);
}
b {
- font-weight: 400;
+ font-weight: 500;
}
- // Common containers
+ a {
+ color: #66bb6a;
+ }
+
+ a:visited {
+ color: #66bb6a;
+ }
+
+ //cards and panels
mat-card,
- .mat-dialog-container,
- .mat-expansion-panel,
- .mat-accordion,
- .overlay-wrapper {
- background-color: #2c2c2c;
- color: #e0e0e0;
+ .mat-card {
+ background-color: var(--surface-01);
+ color: var(--text-primary);
+ border: 1px solid var(--border-subtle);
+ border-radius: 12px;
+ box-shadow: 0 2px 8px rgba(0, 0, 0, 0.4),
+ 0 1px 3px rgba(0, 0, 0, 0.3);
+ transition: box-shadow 0.2s ease, border-color 0.2s ease;
+
+ &:hover {
+ border-color: var(--border-medium);
+ box-shadow: 0 4px 16px rgba(0, 0, 0, 0.5),
+ 0 2px 6px rgba(0, 0, 0, 0.4);
+ }
+ }
+
+ //sidenav
+ .mat-drawer,
+ .mat-sidenav {
+ background-color: var(--surface-01);
+ border-right: 1px solid var(--border-subtle);
+ }
+
+ .mat-drawer-container {
+ background-color: var(--surface-base);
+ }
+
+ //navbar
+ .mat-toolbar {
+ background-color: var(--surface-01) !important;
+ border-bottom: 1px solid var(--border-subtle);
+ box-shadow: 0 1px 6px rgba(0, 0, 0, 0.4);
+ }
+
+ // ----------------------------------------------
+ // Toolbar / Navbar
+ // ----------------------------------------------
+ .mat-toolbar {
+ background-color: var(--surface-01) !important;
+ border-bottom: 1px solid var(--border-subtle);
+ box-shadow: 0 1px 6px rgba(0, 0, 0, 0.4);
+ }
+
+ //Tables
+ .mat-table,
+ table[mat-table] {
+ background-color: var(--surface-01);
+ border: 1px solid var(--border-subtle);
+ border-radius: 8px;
+ overflow: hidden;
+ }
+
+ .mat-header-row {
+ background-color: var(--surface-02);
+ border-bottom: 1px solid var(--border-medium);
+ }
+
+ .mat-header-cell {
+ color: var(--text-primary);
+ font-weight: 600;
+ }
+
+ .mat-row {
+ background-color: var(--surface-01);
+ border-bottom: 1px solid var(--border-subtle);
+ transition: background-color 0.15s ease;
+
+ &:hover {
+ background-color: var(--surface-04);
+ }
+ }
+
+ .mat-cell {
+ color: var(--text-primary);
}
// Dialog styling
.mat-dialog-container {
- border: 1px solid #444;
- box-shadow: 0 2px 10px rgba(0, 0, 0, 0.7);
+ background-color: var(--surface-03);
+ color: var(--text-primary);
+ border: 1px solid var(--border-medium);
+ border-radius: 12px;
+ box-shadow: 0 8px 32px rgba(0, 0, 0, 0.6);
+ }
+
+ // Expansion panels and accordion
+ .mat-expansion-panel,
+ .mat-accordion {
+ background-color: var(--surface-01);
+ color: var(--text-primary);
+ border: 1px solid var(--border-subtle);
+ border-radius: 8px !important;
+
+ .mat-expansion-panel-header {
+ background-color: var(--surface-02);
+ border-radius: 8px;
+
+ &:hover {
+ background-color: var(--surface-04) !important;
+ }
+ }
+ }
+
+ //chips
+ .mat-chip.mat-standard-chip {
+ background-color: var(--surface-03);
+ color: var(--text-secondary);
+ border: 1px solid var(--border-subtle);
+ border-radius: 16px;
+ transition: background-color 0.2s ease, border-color 0.2s ease;
+
+ &:hover {
+ background-color: var(--surface-04);
+ border-color: var(--border-medium);
+ }
+ }
+
+
+ // Form fields and inputs
+ .mat-form-field-appearance-outline .mat-form-field-outline {
+ color: var(--border-medium);
+ }
+
+ .mat-form-field-appearance-outline.mat-focused .mat-form-field-outline-thick {
+ color: #66bb6a;
+ }
+
+ .mat-input-element {
+ color: var(--text-primary);
+ caret-color: #66bb6a;
+ }
+
+ .mat-form-field-label {
+ color: var(--text-secondary);
+ }
+
+ // Buttons
+ .mat-icon-button:hover {
+ background-color: var(--surface-04);
+ }
+
+ .mat-raised-button {
+ background-color: var(--surface-02);
+ color: var(--text-primary);
+ border: 1px solid var(--border-subtle);
+
+ &:hover {
+ background-color: var(--surface-04);
+ }
}
// Modal override
+ .overlay-wrapper,
.overlay-modal {
- background-color: #2c2c2c;
- color: #e0e0e0;
- border-radius: 6px;
+ background-color: var(--surface-03);
+ color: var(--text-primary);
+ border: 1px solid var(--border-medium);
+ border-radius: 12px;
+ box-shadow: 0 8px 32px rgba(0, 0, 0, 0.6);
mat-card {
background-color: transparent;
+ border: none;
+ box-shadow: none;
}
h1, h2, h3, h4, h5, h6 {
- color: #e0e0e0;
+ color: var(--text-primary);
}
}
+
// Circular heatmap (radar chart)
.circular-heat text,
.labels.segment text {
@@ -195,13 +363,41 @@ body.dark-theme {
.circular-heat path {
stroke: var(--heatmap-stroke);
}
+
+ // List items and nav
+ .mat-list-item,
+ .mat-nav-list .mat-list-item {
+ color: var(--text-secondary);
+ border-radius: 8px;
+ transition: background-color 0.15s ease, color 0.15s ease;
+
+ &:hover {
+ background-color: var(--surface-04);
+ color: var(--text-primary);
+ }
- .mat-chip.mat-standard-chip {
- color: #ababab;
+ &.active {
+ background-color: rgba(102, 187, 106, 0.15);
+ color: #66bb6a;
+ }
+ }
+
+ //select and menu
+ .mat-select-panel,
+ .mat-menu-panel {
+ background-color: var(--surface-03);
+ border: 1px solid var(--border-medium);
+ border-radius: 8px;
+ box-shadow: 0 4px 20px rgba(0, 0, 0, 0.5);
}
- .mat-chip.mat-standard-chip.mat-chip-selected.mat-primary {
- background-color: var(--primary-color);
+ .mat-option {
+ color: var(--text-primary);
+
+ &:hover,
+ &.mat-active {
+ background-color: var(--surface-04);
+ }
}
}
@@ -226,4 +422,4 @@ svg .cursors #hover {
svg .cursors #selected {
stroke: var(--heatmap-cursor-selected, black);
stroke-width: 4px;
-}
+}
\ No newline at end of file
diff --git a/src/styles.css b/src/styles.css
index fa4c6eb5..27b6af73 100644
--- a/src/styles.css
+++ b/src/styles.css
@@ -7,8 +7,15 @@
}
html, body { height: 100%; }
-body { margin: 0; font-family: Roboto, "Helvetica Neue", sans-serif; }
-
+body { margin: 0; font-family: Roboto, "Helvetica Neue", sans-serif;
+ overflow: hidden; /* keep this — body itself should not scroll */ }
+app-root {
+ display: flex;
+ flex-direction: column;
+ height: 100%;
+ overflow: hidden;
+ max-width: 100vw;
+}
h1, h2, h3 {
font-weight: 400;
}
@@ -63,3 +70,26 @@ h1, h2, h3 {
.compact-tooltip {
transform: translateY(-10px) !important;
}
+* {
+ scrollbar-color: #9F9F9F #2C2C2C;
+}
+
+*::-webkit-scrollbar {
+ width: 8px;
+ height: 8px;
+}
+
+*::-webkit-scrollbar-track {
+ background: #9F9F9F;
+ border-radius: 4px;
+}
+
+*::-webkit-scrollbar-thumb {
+ background-color: #888;
+ border-radius: 4px;
+}
+
+*::-webkit-scrollbar-thumb:hover {
+ background-color: #555;
+}
+