Fork me on GitHub
Sort by:
Activity
OWASP SAMM VERSION 2
ISO27001 2017
DimensionSubdimensionActivitysamm2iso27001-2017
Build and DeploymentBuild
Building and testing of artifacts in virtual environments
  • I-SB-2-A
  • iso27001-2017:14.2.6
Build and DeploymentBuild
Continuous integration
  • I-SB-1-A
  • iso27001-2017:14.2.6
Build and DeploymentBuild
Defined build process
  • I-SB-1-A
  • 12.1.1
  • 14.2.2
Build and DeploymentBuild
Pinning of artifacts
  • I-SB-1-A
  • 14.2.6
Build and DeploymentBuild
Signing of artifacts
  • I-SB-1-A
  • 14.2.6
Build and DeploymentBuild
Signing of code
I-SB-2-A
  • 14.2.6
Build and DeploymentDeployment
Blue/Green Deployment
  • TODO
  • 17.2.1
  • 12.1.1
  • 12.1.2
  • 12.1.4
  • 12.5.1
  • 14.2.9
Build and DeploymentDeployment
Defined deployment process
I-SD-1-A
  • 12.1.1
  • 14.2.2
Build and DeploymentDeployment
Environment depending configuration parameters (secrets)
  • I-SD-1-B
  • 9.4.5
  • 14.2.6
Build and DeploymentDeployment
Handover of confidential parameters
I-SD-2-B
  • 14.1.3
  • 13.1.3
  • 9.4.3
  • 9.4.1
  • 10.1.2
Build and DeploymentDeployment
Inventory of running artifacts
o-incident-management|TODO
  • 8.1
  • 8.2
Build and DeploymentDeployment
Rolling update on deployment
I-SD-1-A
  • 12.5.1
  • 14.2.2
  • 17.2.1
Build and DeploymentDeployment
Same artifact for environments
I-SD-2-A
  • 14.3.1
  • 14.2.8
  • 12.1.4
Build and DeploymentDeployment
Usage of feature toggles
  • 14.3.1
  • 14.2.8
  • 14.2.9
  • 12.1.4
Build and DeploymentDeployment
Usage of trusted images
I-SD-2-A
  • 15.1.1
  • 15.1.2
  • 15.1.3
  • 14.1.3
Build and DeploymentPatch Management
A patch policy is defined
O-EM-1-B
  • 12.6.1
  • 12.5.1
  • 14.2.5
Build and DeploymentPatch Management
Automated PRs for patches
O-EM-1-B
  • 12.6.1
  • 14.2.5
Build and DeploymentPatch Management
Nightly build of images (base images)
O-EM-1-B
  • 12.6.1
Build and DeploymentPatch Management
Reduction of the attack surface
O-EM-1-B
  • hardening is missing in ISO 27001
  • 14.2.1
Build and DeploymentPatch Management
Usage of a maximum lifetime for images
O-EM-1-B
  • 12.6.1
Build and DeploymentPatch Management
Usage of a short maximum lifetime for images
O-EM-1-B
  • 12.6.1
Culture and OrganizationDesign
Conduction of advanced threat modeling
D-TA-2-B
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and OrganizationDesign
Conduction of simple threat modeling on business level
D-TA-2-B
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and OrganizationDesign
Conduction of simple threat modeling on technical level
D-TA-2-B
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and OrganizationDesign
Creation of advanced abuse stories
D-TA-2-B
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assessment
  • 8.1.2
Culture and OrganizationDesign
Creation of simple abuse stories
D-TA-2-B
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assessment
  • 8.1.2
Culture and OrganizationDesign
Creation of threat modeling processes and standards
D-TA-3-B
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
Culture and OrganizationDesign
Information security targets are communicated
  • 5.1.1
  • 7.2.1
Culture and OrganizationEducation and Guidance
Ad-Hoc Security trainings for software developers
  • G-EG-1-A
  • 7.2.2
Culture and OrganizationEducation and Guidance
Aligning security in teams
  • G-EG-3-B
  • 7.1.1
Culture and OrganizationEducation and Guidance
Conduction of build-it, break-it, fix-it contests
  • G-EG-2-A
  • 7.2.2
Culture and OrganizationEducation and Guidance
Conduction of collaborative security checks with developers and system administrators
  • G-EG-2-A
  • Mutual review of source code is not explicitly required in ISO 27001 may be
  • 7.2.2
  • 12.6.1
  • 12.7.1
Culture and OrganizationEducation and Guidance
Conduction of collaborative team security checks
  • G-EG-1-A
  • G-EG-2-A
  • Mutual security testing is not explicitly required in ISO 27001 may be
  • 7.2.2
Culture and OrganizationEducation and Guidance
Conduction of war games
  • G-EG-2-A
  • ware games are not explicitly required in ISO 27001 may be
  • 7.2.2
  • 16.1
  • 16.1.5
Culture and OrganizationEducation and Guidance
Each team has a security champion
  • G-EG-1-B
  • G-EG-2-B
  • G-EG-3-B
  • security champions are missing in ISO 27001 most likely
  • 7.2.1
  • 7.2.2
Culture and OrganizationEducation and Guidance
Regular security training for all
  • G-EG-1-A
  • 7.2.2
Culture and OrganizationEducation and Guidance
Regular security training for externals
  • G-EG-3-A
  • 7.2.2
Culture and OrganizationEducation and Guidance
Regular security training of security champions
  • D-TA-2-B
  • G-EG-1-A
  • security champions are missing in ISO 27001
  • 7.2.2
Culture and OrganizationEducation and Guidance
Reward of good communication
G-EG-1-B
  • not required by ISO 27001
  • interestingly enough A7.2.3 is requiring a process to handle misconduct but nothing to promote good behavior.
Culture and OrganizationEducation and Guidance
Security code review
  • V-ST-B-1
Culture and OrganizationEducation and Guidance
Security consulting on request
  • G-EG-1-A
  • security consulting is missing in ISO 27001 may be
  • 6.1.1
  • 6.1.4
  • 6.1.5
Culture and OrganizationEducation and Guidance
Security-Lessoned-Learned
  • strategy-and-metrics|B|1
  • 16.1.6
Culture and OrganizationEducation and Guidance
Simple mob hacking
  • G-EG-1-A
  • 7.2.2
Culture and OrganizationProcess
Approval by reviewing any new version
  • peer review - four eyes principle is not explicitly required by ISO 27001
  • 6.1.2
  • 14.2.1
Culture and OrganizationProcess
Definition of a change management process
  • 14.2.2
  • 12.1.2
  • 12.4.1
Culture and OrganizationProcess
Definition of simple BCDR practices for critical components
  • 17.1.1
Culture and OrganizationProcess
Prevention of unauthorized installation
  • 12.5.1
  • 12.6.1
Culture and OrganizationProcess
Source Control Protection
O-EM-1-C
  • peer review - four eyes principle is not explicitly required by ISO 27001
  • 6.1.2
  • 14.2.1
ImplementationApplication Hardening
App. Hardening Level 2
D-SR-2-A
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
App. Hardening Level 3
D-SR-3-A
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
Application Hardening Level 1
D-SR-1-A
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
Full Coverage of App. Hardening Level 3
D-SR-3-A
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
2FA
TODO
  • not explicitly covered by ISO 27001 - too specific
  • 9.1.1
  • 9.4.2
  • 14.2.5
ImplementationInfrastructure Hardening
Applications are running in virtualized environments
O-EM-1-A
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Backup
  • TODO
  • 12.3
  • 14.2.6
ImplementationInfrastructure Hardening
Checking the sources of used libraries
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
ImplementationInfrastructure Hardening
Filter outgoing traffic
O-EM-1-A
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Immutable Infrastructure
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 17.2.1
ImplementationInfrastructure Hardening
Infrastructure as Code
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
ImplementationInfrastructure Hardening
Isolated networks for virtual environments
O-EM-1-A
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Limitation of system calls in virtual environments
O-EM-1-A
  • system hardening is not explicitly covered by ISO 27001 - too specific
ImplementationInfrastructure Hardening
Microservice-Architecture
O-EM-1-A
  • not explicitly covered by ISO 27001
ImplementationInfrastructure Hardening
Production near environments are used by developers
O-EM-1-A
  • 12.1.4
  • 17.2.1
ImplementationInfrastructure Hardening
Role based authentication and authorization
O-EM-1-A
  • 9.4.1
ImplementationInfrastructure Hardening
Simple access control for systems
O-EM-1-A
  • 9.4.1
ImplementationInfrastructure Hardening
The cluster is hardened
O-EM-1-A
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Usage of a chaos monkey
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 17.1.3
ImplementationInfrastructure Hardening
Usage of security by default for components
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
ImplementationInfrastructure Hardening
Usage of test and production environments
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.4
  • 17.2.1
ImplementationInfrastructure Hardening
Versioning
O-EM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
  • 14.2.2
ImplementationInfrastructure Hardening
Virtual environments are limited
O-EM-1-A
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.1.3
  • 13.1.3
  • 17.2.1
Information GatheringLogging
Centralized application logging
O-IM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Centralized system logging
O-IM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Correlation of security events
O-IM-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringLogging
Logging of security events
O-IM-1-A
  • 12.4.1
Information GatheringLogging
PII logging concept
O-IM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
  • 18.1.1
Information GatheringLogging
Visualized logging
O-IM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
Information GatheringMonitoring
Advanced availability and stability metrics
O-IM-2-A
  • 12.1.3
Information GatheringMonitoring
Advanced webapplication metrics
O-IM-2-A
  • 12.6.1
Information GatheringMonitoring
Alerting
O-DM-3-B
  • 16.1.2
  • 16.1.4
  • 12.1.4
Information GatheringMonitoring
Coverage and control metrics
O-IM-2-A
  • not explicitly covered by ISO 27001 - too specific
Information GatheringMonitoring
Deactivation of unused metrics
O-IM-1-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
Information GatheringMonitoring
Defense metrics
O-IM-2-A
  • 12.4.1
  • 13.1.1
Information GatheringMonitoring
Grouping of metrics
O-IM-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
Information GatheringMonitoring
Metrics are combined with tests
O-IM-2-A
  • not explicitly covered by ISO 27001
Information GatheringMonitoring
Screens with metric visualization
O-IM-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
Information GatheringMonitoring
Simple application metrics
O-IM-1-A
  • 12.4.1
Information GatheringMonitoring
Simple system metrics
O-IM-1-A
  • 12.1.3
Information GatheringMonitoring
Targeted alerting
O-DM-3-B
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
Information GatheringMonitoring
Visualized metrics
O-IM-2-A
  • 12.1.3
Test and VerificationApplication tests
High coverage of security related module and integration tests
V-ST-3-B
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Security integration tests for important components
V-ST-3-B
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Security unit tests for important components
V-ST-3-B
  • 14.2.3
  • 14.2.8
Test and VerificationApplication tests
Smoke Test
V-ST-3-B
  • 14.2.3
  • 14.2.8
Test and VerificationConsolidation
Advanced visualization of defects
I-DM-1-B
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Definition of quality gates
I-DM-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 16.1.4
Test and VerificationConsolidation
Integration of vulnerability issues into the development process
I-DM-2-B
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.4
  • 16.1.5
  • 16.1.6
Test and VerificationConsolidation
Reproducible defect tickets
I-DM-2-B
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Simple false positive treatment
I-DM-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.6
Test and VerificationConsolidation
Simple visualization of defects
I-DM-1-B
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
Test and VerificationConsolidation
Treatment of all defects
I-DM-2-B
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Treatment of defects with severity high or higher
I-DM-2-B
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Treatment of defects with severity middle
I-DM-2-B
  • 16.1.4
  • 12.6.1
Test and VerificationConsolidation
Usage of a vulnerability management system
I-DM-1-B
  • 12.6.1
  • 16.1.3
  • 16.1.4
  • 16.1.5
  • 16.1.6
Test and VerificationDynamic depth for applications
Coverage analysis
V-ST-2-A
  • not explicitly covered by ISO 27001 - too specific
  • part of periodic review, PDCA
Test and VerificationDynamic depth for applications
Coverage of client side dynamic components
V-ST-2-A
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Coverage of hidden endpoints
V-ST-2-A
  • not explicitly covered by ISO 27001 - too specific
Test and VerificationDynamic depth for applications
Coverage of more input vectors
V-ST-2-A
  • not explicitly covered by ISO 27001 - too specific
Test and VerificationDynamic depth for applications
Coverage of sequential operations
V-ST-2-A
  • 14.2.8
  • 14.2.3
Test and VerificationDynamic depth for applications
Coverage of service to service communication
V-ST-2-A
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Simple Scan
V-ST-1-A
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Usage of different roles
V-ST-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for applications
Usage of multiple scanners
V-ST-2-A
  • 12.6.1
  • 14.2.5
Test and VerificationDynamic depth for infrastructure
Load tests
V-ST-1-A
  • 12.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test for exposed services
V-ST-1-A
  • 13.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test for unused Resources
V-ST-1-A
  • 13.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test network segmentation
V-ST-2-A
  • 13.1.3
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Test of the configuration of cloud environments
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationDynamic depth for infrastructure
Weak password test
V-ST-2-A
  • 9.4.3
Test and VerificationStatic depth for applications
Exclusion of source code duplicates
V-ST-2-A
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for applications
Static analysis for all components/libraries
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for all self written components
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for important client side components
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Static analysis for important server side components
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Stylistic analysis
V-ST-2-A
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for applications
Test of client side components with known vulnerabilities
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Test of server side components with known vulnerabilities
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for applications
Usage of multiple analyzers
V-ST-3-A
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationStatic depth for infrastructure
Analyze logs
Test and VerificationStatic depth for infrastructure
Check for image lifetime
V-ST-1-A
  • 12.6.1
  • 14.2.5
Test and VerificationStatic depth for infrastructure
Check for known vulnerabilities
V-ST-2-A
  • 12.6.1
Test and VerificationStatic depth for infrastructure
Check for malware
V-ST-2-A
  • 12.2.1
Test and VerificationStatic depth for infrastructure
Check for new image version
V-ST-2-A
  • 12.6.1
  • 14.2.5
  • 12.2.1
Test and VerificationStatic depth for infrastructure
Correlate known vulnerabilities in infrastructure with new image versions
V-ST-1-A
  • 12.6.1
  • 14.2.1
Test and VerificationStatic depth for infrastructure
Stored Secrets
V-ST-1-A
  • vcs usage is not explicitly covered by ISO 27001 - too specific
  • 9.4.3
  • 10.1.2
Test and VerificationStatic depth for infrastructure
Test cluster deployment resources
V-ST-1-A
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationStatic depth for infrastructure
Test of infrastructure components for known vulnerabilities
V-ST-1-A
  • 12.6.1
  • 14.2.1
Test and VerificationStatic depth for infrastructure
Test of virtualized environments
V-ST-1-A
Test and VerificationStatic depth for infrastructure
Test the cloud configuration
V-ST-1-A
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
Test and VerificationStatic depth for infrastructure
Test the definition of virtualized environments
V-ST-1-A
  • system hardening, virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
  • 14.2.1
Test and VerificationTest-Intensity
Creation and application of a testing concept
V-ST-2-A
  • 14.2.2
  • 14.2.3
  • 14.2.1
  • 14.2.5
  • 12.6.1
Test and VerificationTest-Intensity
Deactivating of unneeded tests
V-ST-2-A
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationTest-Intensity
Default settings for intensity
V-ST-1-A
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationTest-Intensity
High test intensity
V-ST-2-A
  • 12.6.1
  • 14.2.1
  • 14.2.5
Test and VerificationTest-Intensity
Regular tests
I-SB-3-A
  • 14.2.3
  • 14.2.8
  • 14.2.9