Fork me on GitHub
Sort by:
Activity
OWASP SAMM VERSION 2
ISO27001 2017
DimensionSubdimensionActivitysamm2iso27001-2017
BuildAndDeploymentBuild
Building and testing of artifacts in virtual environments
  • i-secure-build|A|2
  • iso27001-2017:14.2.6
BuildAndDeploymentBuild
Defined build process
  • i-secure-build|A|1
  • 12.1.1
  • 14.2.2
BuildAndDeploymentBuild
Signing of artifacts
  • i-secure-build|A|1
  • 14.2.6
BuildAndDeploymentBuild
Signing of code
i-secure-build|A|2
  • 14.2.6
BuildAndDeploymentDeployment
Backup before deployment
  • TODO
  • 12.3
  • 14.2.6
BuildAndDeploymentDeployment
Blue/Green Deployment
  • TODO
  • 17.2.1
  • 12.1.1
  • 12.1.2
  • 12.1.4
  • 12.5.1
  • 14.2.9
BuildAndDeploymentDeployment
Defined deployment process
i-secure-deployment|A|1
  • 12.1.1
  • 14.2.2
BuildAndDeploymentDeployment
Environment depending configuration parameters
  • i-secure-deployment|B|1
  • 9.4.5
  • 14.2.6
BuildAndDeploymentDeployment
Handover of confidential parameters
i-secure-deployment|B|2 TODO might be 1
  • 14.1.3
  • 13.1.3
  • 9.4.3
  • 9.4.1
  • 10.1.2
BuildAndDeploymentDeployment
Inventory of running artifacts
o-incident-management|TODO
  • 8.1
  • 8.2
BuildAndDeploymentDeployment
Rolling update on deployment
i-secure-deployment|A|1
  • 12.5.1
  • 14.2.2
  • 17.2.1
BuildAndDeploymentDeployment
Same artifact for environments
i-secure-deployment|A|2
  • 14.3.1
  • 14.2.8
  • 12.1.4
BuildAndDeploymentDeployment
Usage of feature toggles
  • 14.3.1
  • 14.2.8
  • 14.2.9
  • 12.1.4
BuildAndDeploymentDeployment
Usage of trusted images
i-secure-deployment|A|2
  • 15.1.1
  • 15.1.2
  • 15.1.3
  • 14.1.3
BuildAndDeploymentPatch Management
A patch policy is defined
o-environment-management|B|1
  • 12.6.1
  • 12.5.1
  • 14.2.5
BuildAndDeploymentPatch Management
Automated PRs for patches
o-environment-management|B|1
  • 12.6.1
  • 14.2.5
BuildAndDeploymentPatch Management
Nightly build of images
o-environment-management|B|1
  • 12.6.1
BuildAndDeploymentPatch Management
Reduction of the attack surface
o-environment-management|B|1
  • hardening is missing in ISO 27001
  • 14.2.1
BuildAndDeploymentPatch Management
Usage of a maximum lifetime for images
o-environment-management|B|1
  • 12.6.1
BuildAndDeploymentPatch Management
Usage of a short maximum lifetime for images
o-environment-management|B|1
  • 12.6.1
CultureAndOrganizationDesign
Conduction of advanced threat modeling
threat-assessment|B|2
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
CultureAndOrganizationDesign
Conduction of simple threat modeling on business level
threat-assessment|B|2
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
CultureAndOrganizationDesign
Conduction of simple threat modeling on technical level
threat-assessment|B|2
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
CultureAndOrganizationDesign
Creation of advanced abuse stories
threat-assessment|B|2
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assessment
  • 8.1.2
CultureAndOrganizationDesign
Creation of simple abuse stories
threat-assessment|B|2
  • not explicitly covered by ISO 27001
  • may be part of project management
  • 6.1.5
  • may be part of risk assessment
  • 8.1.2
CultureAndOrganizationDesign
Creation of threat modeling processes and standards
threat-assessment|B|3
  • not explicitly covered by ISO 27001
  • may be part of risk assessment
  • 8.2.1
  • 14.2.1
CultureAndOrganizationDesign
Information security targets are communicated
  • 5.1.1
  • 7.2.1
CultureAndOrganizationEducation and Guidance
Ad-Hoc Security trainings for software developers
  • education-and-guidance|A|1
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Aligning security in teams
  • education-and-guidance|B|3
  • 7.1.1
CultureAndOrganizationEducation and Guidance
Conduction of build-it, break-it, fix-it contests
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Conduction of collaborative security checks with developers and system administrators
  • Mutual review of source code is not explicitly required in ISO 27001 may be
  • 7.2.2
  • 12.6.1
  • 12.7.1
CultureAndOrganizationEducation and Guidance
Conduction of collaborative team security checks
  • Mutual security testing is not explicitly required in ISO 27001 may be
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Conduction of war games
  • ware games are not explicitly required in ISO 27001 may be
  • 7.2.2
  • 16.1
  • 16.1.5
CultureAndOrganizationEducation and Guidance
Each team has a security champion
  • education-and-guidance|B|1
  • education-and-guidance|B|2
  • education-and-guidance|B|3
  • security champions are missing in ISO 27001 most likely
  • 7.2.1
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Regular security training for all
  • education-and-guidance|A|1
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Regular security training for externals
  • education-and-guidance|A|3
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Regular security training of security champions
  • threat-assessment|B|2
  • education-and-guidance|A|1
  • security champions are missing in ISO 27001
  • 7.2.2
CultureAndOrganizationEducation and Guidance
Reward of good communication
education-and-guidance|B|1
  • not required by ISO 27001
  • interestingly enough A7.2.3 is requiring a process to handle misconduct but nothing to promote good behavior.
CultureAndOrganizationEducation and Guidance
Security consulting on request
  • education-and-guidance|A|1
  • security consulting is missing in ISO 27001 may be
  • 6.1.1
  • 6.1.4
  • 6.1.5
CultureAndOrganizationEducation and Guidance
Security-Lessoned-Learned
  • 16.1.6
CultureAndOrganizationProcess
Approval by reviewing any new version
  • peer review - four eyes principle is not explicitly required by ISO 27001
  • 6.1.2
  • 14.2.1
CultureAndOrganizationProcess
Definition of a change management process
  • 14.2.2
  • 12.1.2
  • 12.4.1
CultureAndOrganizationProcess
Definition of simple BCDR practices for critical components
  • 17.1.1
CultureAndOrganizationProcess
Prevention of unauthorized installation
  • 12.5.1
  • 12.6.1
ImplementationApplication Hardening
App. Hardening Level 2
software-requirements|A|2
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
App. Hardening Level 3
software-requirements|A|3
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
Application Hardening Level 1
software-requirements|A|1
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationApplication Hardening
Full Coverage of App. Hardening Level 3
software-requirements|A|3
  • hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
2FA
TODO
  • not explicitly covered by ISO 27001 - too specific
  • 9.1.1
  • 9.4.2
  • 14.2.5
ImplementationInfrastructure Hardening
Applications are running in virtualized environments
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Checking the sources of used libraries
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
ImplementationInfrastructure Hardening
Filter outgoing traffic
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Immutable Infrastructure
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 17.2.1
ImplementationInfrastructure Hardening
Infrastructure as Code
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
ImplementationInfrastructure Hardening
Isolated networks for virtual environments
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Limitation of system calls in virtual environments
o-environment-management|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
ImplementationInfrastructure Hardening
Microservice-Architecture
o-environment-management|A|1
  • not explicitly covered by ISO 27001
ImplementationInfrastructure Hardening
Production near environments are used by developers
o-environment-management|A|1
  • 12.1.4
  • 17.2.1
ImplementationInfrastructure Hardening
Role based authentication and authorization
o-environment-management|A|1
  • 9.4.1
ImplementationInfrastructure Hardening
Simple access control for systems
o-environment-management|A|1
  • 9.4.1
ImplementationInfrastructure Hardening
The cluster is hardened
o-environment-management|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 13.1.3
ImplementationInfrastructure Hardening
Usage of a chaos monkey
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 17.1.3
ImplementationInfrastructure Hardening
Usage of security by default for components
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
ImplementationInfrastructure Hardening
Usage of test and production environments
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.4
  • 17.2.1
ImplementationInfrastructure Hardening
Virtual environments are limited
o-environment-management|A|1
  • virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.1.3
  • 13.1.3
  • 17.2.1
ImplementationInfrastructure Hardening
versioning
o-environment-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.1
  • 12.1.2
  • 14.2.2
InformationGatheringLogging
Centralized application logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
InformationGatheringLogging
Centralized system logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
InformationGatheringLogging
Correlation of security events
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
InformationGatheringLogging
Logging of security events
o-incident-management|A|1
  • 12.4.1
InformationGatheringLogging
PII logging concept
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
  • 18.1.1
InformationGatheringLogging
Visualized logging
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.4.1
InformationGatheringMonitoring
Advanced availability and stability metrics
o-incident-management|A|2
  • 12.1.3
InformationGatheringMonitoring
Advanced webapplication metrics
o-incident-management|A|2
  • 12.6.1
InformationGatheringMonitoring
Alerting
o-operational-management|B|3
  • 16.1.2
  • 16.1.4
  • 12.1.4
InformationGatheringMonitoring
Coverage and control metrics
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
InformationGatheringMonitoring
Deactivation of unused metrics
o-incident-management|A|1
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
InformationGatheringMonitoring
Defense metrics
o-incident-management|A|2
  • 12.4.1
  • 13.1.1
InformationGatheringMonitoring
Grouping of metrics
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.1.3
InformationGatheringMonitoring
Metrics are combined with tests
o-incident-management|A|2
  • not explicitly covered by ISO 27001
InformationGatheringMonitoring
Screens with metric visualization
o-incident-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
InformationGatheringMonitoring
Simple application metrics
o-incident-management|A|1
  • 12.4.1
InformationGatheringMonitoring
Simple system metrics
o-incident-management|A|1
  • 12.1.3
InformationGatheringMonitoring
Targeted alerting
o-operational-management|B|3
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.5
InformationGatheringMonitoring
Visualized metrics
o-incident-management|A|2
  • 12.1.3
TestAndVerificationApplication tests
High coverage of security related module and integration tests
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
TestAndVerificationApplication tests
Security integration tests for important components
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
TestAndVerificationApplication tests
Security unit tests for important components
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
TestAndVerificationApplication tests
Smoke Test
v-security-testing|B|3
  • 14.2.3
  • 14.2.8
TestAndVerificationConsolidation
Advanced visualization of defects
defect-management|B|1
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
TestAndVerificationConsolidation
Definition of quality gates
i-defect-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 16.1.4
TestAndVerificationConsolidation
Integration of vulnerability issues into the development process
i-defect-management|B|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.4
  • 16.1.5
  • 16.1.6
TestAndVerificationConsolidation
Reproducible defect tickets
i-defect-management|B|2
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
TestAndVerificationConsolidation
Simple false positive treatment
i-defect-management|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 16.1.6
TestAndVerificationConsolidation
Simple visualization of defects
i-defect-management|B|1
  • 16.1.4
  • 8.2.1
  • 8.2.2
  • 8.2.3
TestAndVerificationConsolidation
Treatment of all defects
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
TestAndVerificationConsolidation
Treatment of defects with severity high or higher
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
TestAndVerificationConsolidation
Treatment of defects with severity middle
i-defect-management|B|2
  • 16.1.4
  • 12.6.1
TestAndVerificationConsolidation
Usage of a vulnerability management system
i-defect-management|B|1
  • 12.6.1
  • 16.1.3
  • 16.1.4
  • 16.1.5
  • 16.1.6
TestAndVerificationDynamic depth for applications
Coverage analysis
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • part of periodic review, PDCA
TestAndVerificationDynamic depth for applications
Coverage of client side dynamic components
v-security-testing|A|2
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for applications
Coverage of hidden endpoints
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
TestAndVerificationDynamic depth for applications
Coverage of more input vectors
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
TestAndVerificationDynamic depth for applications
Coverage of sequential operations
v-security-testing|A|2
  • 14.2.8
  • 14.2.3
TestAndVerificationDynamic depth for applications
Coverage of service to service communication
v-security-testing|A|2
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for applications
Simple Scan
v-security-testing|A|1
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for applications
Usage of different roles
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for applications
Usage of multiple scanners
v-security-testing|A|2
  • 12.6.1
  • 14.2.5
TestAndVerificationDynamic depth for infrastructure
Load tests
v-security-testing|A|1
  • 12.1.3
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for infrastructure
Test for exposed services
v-security-testing|A|1
  • 13.1.3
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for infrastructure
Test network segmentation
v-security-testing|A|2
  • 13.1.3
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for infrastructure
Test of the configuration of cloud environments
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
TestAndVerificationDynamic depth for infrastructure
Weak password test
v-security-testing|A|2
  • 9.4.3
TestAndVerificationStatic depth for applications
Exclusion of source code duplicates
v-security-testing|A|2
  • not explicitly covered by ISO 27001 - too specific
  • 14.2.1
  • 14.2.5
TestAndVerificationStatic depth for applications
Static analysis for all components/libraries
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Static analysis for all self written components
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Static analysis for important client side components
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Static analysis for important server side components
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Stylistic analysis
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5
TestAndVerificationStatic depth for applications
Test of client side components with known vulnerabilities
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Test of server side components with known vulnerabilities
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for applications
Usage of multiple analyzers
v-security-testing|A|3
  • 12.6.1
  • 14.2.1
  • 14.2.5
TestAndVerificationStatic depth for infrastructure
Analyze logs
TestAndVerificationStatic depth for infrastructure
Check for image lifetime
v-security-testing|A|1
  • 12.6.1
  • 14.2.5
TestAndVerificationStatic depth for infrastructure
Check for known vulnerabilities
v-security-testing|A|2
  • 12.6.1
TestAndVerificationStatic depth for infrastructure
Check for malware
v-security-testing|A|2
  • 12.2.1
TestAndVerificationStatic depth for infrastructure
Check for new image version
v-security-testing|A|2
  • 12.6.1
  • 14.2.5
  • 12.2.1
TestAndVerificationStatic depth for infrastructure
Correlate known vulnerabilities in infrastructure with new image versions
v-security-testing|A|1
  • 12.6.1
  • 14.2.1
TestAndVerificationStatic depth for infrastructure
Stored Secrets
v-security-testing|A|1
  • vcs usage is not explicitly covered by ISO 27001 - too specific
  • 9.4.3
  • 10.1.2
TestAndVerificationStatic depth for infrastructure
Test cluster deployment resources
v-security-testing|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
TestAndVerificationStatic depth for infrastructure
Test of infrastructure components for known vulnerabilities
v-security-testing|A|1
  • 12.6.1
  • 14.2.1
TestAndVerificationStatic depth for infrastructure
Test of virtualized environments
v-security-testing|A|1
TestAndVerificationStatic depth for infrastructure
Test the cloud configuration
v-security-testing|A|1
  • system hardening is not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
TestAndVerificationStatic depth for infrastructure
Test the definition of virtualized environments
v-security-testing|A|1
  • system hardening, virtual environments are not explicitly covered by ISO 27001 - too specific
  • 12.6.1
  • 14.2.3
  • 14.2.8
  • 14.2.1
TestAndVerificationTest-Intensity
Creation and application of a testing concept
v-security-testing|A|2
  • 14.2.2
  • 14.2.3
  • 14.2.1
  • 14.2.5
  • 12.6.1
TestAndVerificationTest-Intensity
Deactivating of unneeded tests
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5
TestAndVerificationTest-Intensity
Default settings for intensity
v-security-testing|A|1
  • 12.6.1
  • 14.2.1
  • 14.2.5
TestAndVerificationTest-Intensity
High test intensity
v-security-testing|A|2
  • 12.6.1
  • 14.2.1
  • 14.2.5
TestAndVerificationTest-Intensity
Regular tests
i-secure-build|A|3
  • 14.2.3
  • 14.2.8
  • 14.2.9