Skip to content

Review of level 1 activities #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vbakke wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Review of level 1 activities #46

vbakke wants to merge 24 commits into from

Conversation

@vbakke
Copy link
Collaborator

@vbakke vbakke commented Sep 22, 2025
edited
Loading

Added missing descriptions and assessments, on level 1 activities.

Feel free to comment and adjust. I reckon we should aim to avoid repeating the same message in multiple attributes of the same activity. But I might still be doing that. Nice with more sets of eyes to improve...

@vbakke vbakke requested a review from wurstbrot September 22, 2025 15:14
wurstbrot
wurstbrot requested changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@wurstbrot wurstbrot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general.

For the assessment attribute: It was written in a way that users understand what they have to provide in order to get it marked as implemented. I do not enforce that you re-write it, but for you know.

E.g.

The organization has a process for triaging and documenting false positives and accepted risks

could be

Provide a maximum one year old sample of a false positive or accepted finding including the date, description and date and expire date

vbakke
vbakke commented Oct 8, 2025
View reviewed changes
Copy link
Collaborator Author

@vbakke vbakke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for a thorough review.

Looks like I skipped Implementation and Test and Verification. I can try to add them soon.

However, could you please elaborate some on Default settings for intensity? The current text is very short, and I struggle to understand the boundaries for the activity.

wurstbrot
wurstbrot requested changes Oct 13, 2025
View reviewed changes
src/assets/YAML/default/BuildAndDeployment/Deployment.yaml Outdated
A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes. This process should include validation, approval, and rollback mechanisms.
risk: >-
Deployment of insecure or malfunctioning artifacts.
Deployment based human routines are error prone, and of insecure or malfunctioning artifacts.
Copy link
Contributor

@wurstbrot wurstbrot Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, readme is well definied.
Building and testing of artifacts in virtual environments is there to not run all build jobs on the same server without isolation.

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
risk: Attackers a gaining access to internal systems and application interfaces
measure: All internal systems are using simple authentication
assessment: |
- Demonstrate that every team member has appropriate access (least privilege).
Copy link
Contributor

@wurstbrot wurstbrot Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my point of view, it is the opposite:
- Demonstrate that every team member has least access as possible.

vbakke and others added 15 commits November 30, 2025 18:12
@vbakke
Renamed Versioning to Version control and added description
04023de
@vbakke
Merge 'main' into 'feat/v4-review-level-1'
b9fbd51
@vbakke
Included feedback from PR devsecopsmaturitymodel#46
1cf5f0f
@vbakke
Renamed Versioning to Version control and added description
3521a80
@vbakke
Merge branch 'feat/v4-review-level-1-implementation' of https://githu…
78700ec 
…b.com/vbakke/DevSecOps-MaturityModel-data into feat/v4-review-level-1-implementation
@vbakke
Merge pull request #1 from vbakke/feat/v4-review-level-1-implementation
37d2269 
Feat/v4 review level 1 implementation
@vbakke
Deployment: Split 'Defined deployment process'
50e8987
@vbakke
Split dependencies between Defined and Automated deploy process
7a29110
@vbakke
Updated with PR feedback
cf9954d
@vbakke
Merge pull request #2 from vbakke/feat/v4-review-level-1-deployment
4d208b2 
Split 'Defined deployment process' into 'Automated deployment process'
@vbakke
Updated external URLs
c37ef59
@vbakke
Updated with feedback from PR
f7f5f16
@vbakke
Merge pull request #4 from vbakke/feat/v4-review-level-1-urlreferences
a5e92d9 
Updated external URLs
@vbakke
Included feedback from PR.
aa7211b 
Added tags (scannig, sca, ...)
@vbakke
Revert wrong delete
f098fbc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wurstbrot wurstbrot wurstbrot requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vbakke @wurstbrot