Dimension Build and Deployment
Sub-Dimension Build
Defined build process
Risk and Opportunity
Risk: Performing builds without a defined process is error prone. For example, as a result of incorrect security related configuration.
Opportunity: A well defined build process lowers the possibility of errors during the build process.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Low
Additional Information
Implementation hints: Jenkins, Docker
OWASP SAMM 2 Mapping: i-secure-build|A|1
ISO27001:2017 Controls Mapping:
Regular tests
Risk and Opportunity
Risk: After pushing source code to the version control system, any delay in receiving feedback on defects makes them harder for the developer to remediate.
Opportunity: On each push and/or at given intervals automatic security tests are performed.
Exploit details
Usefullness: Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: i-secure-build|A|3
ISO27001:2017 Controls Mapping:
Signing of artifacts
Risk and Opportunity
Risk: Unauthorized manipulation of artifacts might be difficult to spot. For example, this may result in images with malicious code in the Docker registry.
Opportunity: Digitally signing artifacts for all steps during the build and especially docker images, helps to ensure their integrity.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Dependencies: Defined build process
OWASP SAMM 1 Mapping: OA3-B
OWASP SAMM 2 Mapping: i-secure-build|A|1
ISO27001:2017 Controls Mapping:
Signing of code
Risk and Opportunity
Risk: Unauthorized manipulation of source code might be difficult to spot.
Opportunity: Digitally signing commits helps to prevent unauthorized manipulation of source code.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Dependencies: Defined build process
OWASP SAMM 1 Mapping: OA3-B
OWASP SAMM 2 Mapping: i-secure-build|A|2
ISO27001:2017 Controls Mapping:
Building and testing of artifacts in virtual environments
Risk and Opportunity
Risk: While building and testing artifacts, third party systems, application frameworks and 3rd party libraries are used. These might be malicious as a result of vulnerable libraries or because they are altered during the delivery phase.
Opportunity: Each step during within the build and testing phase is performed in a separate virtual environments, which is destroyed afterward.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Implementation hints: Docker
OWASP SAMM 2 Mapping: i-secure-build|A|2
ISO27001:2017 Controls Mapping:
Sub-Dimension Deployment
Defined deployment process
Risk and Opportunity
Risk: Deployments without a defined process are error prone thus allowing old or untested artifact to be deployed.
Opportunity: A defined deployment process significantly lowers the likelihood of errors during the deployment phase.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Implementation hints: Jenkins, Docker
OWASP SAMM 2 Mapping: i-secure-deployment|A|1
ISO27001:2017 Controls Mapping:
Backup before deployment
Risk and Opportunity
Risk: If errors are experienced during the deployment process you want to deploy an old release. However, due to changes in the database this is often unfeasible.
Opportunity: Performing automated backups before deployment can help facilitate deployments whilst testing the backup restore processes.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined deployment process
Implementation hints: A complete database backup might be performed*. For large and complex environments, a Point in Time Recovery for databases should be implemented.
OWASP SAMM 1 Mapping: OE2-A
OWASP SAMM 2 Mapping: TODO
ISO27001:2017 Controls Mapping:
Environment depending configuration parameters
Risk and Opportunity
Risk: Attackers who compromise source code can see confidential access information like database credentials.
Opportunity: Configuration parameters are set for each environment not in the source code.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 1 Mapping: SA2-A
OWASP SAMM 2 Mapping: i-secure-deployment|B|1
ISO27001:2017 Controls Mapping:
Usage of trusted images
Risk and Opportunity
Risk: Developers or operations might start random images in the production cluster which have malicous code or known vulnerabilities.
Opportunity: Create image assessment criteria, perform an evaluation of images and create a whitelist of artifacts/container images/virtual machine images.
Exploit details
Usefullness: Medium
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: Kubernetes Admission Controller can whitelist registries and/or whitelist a signing key.
OWASP SAMM 2 Mapping: i-secure-deployment|A|2
ISO27001:2017 Controls Mapping:
Handover of confidential parameters
Risk and Opportunity
Risk: Attackers who compromise a system can see confidential access information like database credentials. Parameters are often used to set credentials, for example by starting containers or applications. These parameters can often be seen by any one listing running processes on the target system.
Opportunity: By using encryption, it is harder to read credentials , e.g. from the file system. Also, the usage of a credential management system can help protect credentials.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Environment depending configuration parameters
OWASP SAMM 1 Mapping: SA2-A
OWASP SAMM 2 Mapping: i-secure-deployment|B|2 TODO might be 1
ISO27001:2017 Controls Mapping:
- 14.1.3
- 13.1.3
- 9.4.3
- 9.4.1
- 10.1.2
Inventory of running artifacts
Risk and Opportunity
Risk: In case a vulnerability of severity high or critical exists, it needs to be known where an artifacts with that vulnerability is deployed with which dependencies.
Opportunity: A documented inventory or a possibility to gather the needed information (e.g. the documentation of which script needs to be run by whoom) must be in place.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Medium
Additional Information
Dependencies: Defined deployment process
OWASP SAMM 2 Mapping: o-incident-management|TODO
ISO27001:2017 Controls Mapping:
Rolling update on deployment
Risk and Opportunity
Risk: While a deployment is performed, the application can not be reached.
Opportunity: A deployment without downtime is performed*.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Dependencies: Defined deployment process
Implementation hints: Docker, Webserver, rolling update
OWASP SAMM 2 Mapping: i-secure-deployment|A|1
ISO27001:2017 Controls Mapping:
Same artifact for environments
Risk and Opportunity
Risk: Building of an artifact for different environments means that an untested artifact might reach the production environment.
Opportunity: Building an artifact once and deploying it to different environments means that only tested artifacts are allowed to reach the production environment
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: Docker
OWASP SAMM 1 Mapping: OE2-A
OWASP SAMM 2 Mapping: i-secure-deployment|A|2
ISO27001:2017 Controls Mapping:
Usage of feature toggles
Risk and Opportunity
Risk: By using environment dependent configuration, some parameters will not be tested correctly. i.e.
if (host == 'production') {} else {} Opportunity: Usage of environment independent configuration parameter, called feature toggles, helps to enhance the test coverage. Only what has been tested, goes to production.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Dependencies: Same artifact for environments
Implementation hints: Docker
OWASP SAMM 1 Mapping: EG1-B
ISO27001:2017 Controls Mapping:
Blue/Green Deployment
Risk and Opportunity
Risk: A new artifacts version can have unknown defects.
Opportunity: By having multiple production environments, a deployment can be performant on the first environment to spot possible defects before it is deployment in the production environment(s)
Exploit details
Usefullness: Low
Required knowledge: Very Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Smoke Test
OWASP SAMM 2 Mapping: TODO
ISO27001:2017 Controls Mapping:
- 17.2.1
- 12.1.1
- 12.1.2
- 12.1.4
- 12.5.1
- 14.2.9
Sub-Dimension Patch Management
A patch policy is defined
Risk and Opportunity
Risk: Vulnerabilities in running containers stay for long and might get exploited.
Opportunity: A patch policy for all artifacts (e.g. in images) is defined. How often is an images getting build?
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very Low
Required resources (systems): Low
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
Automated PRs for patches
Risk and Opportunity
Risk: Known vulnerabilities components might stay for long and get exploited, even when a patch is available.
Opportunity: Fast patching of third party component is needed. The DevOps way is to have an automated pull request for new components. This includes
- Applications
- Virutalized operating system components (e.g. container images)
- Operating Systems
- Infrastructure as Code/GitOps (e.g. argocd)
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
Nightly build of images
Risk and Opportunity
Risk: Vulnerabilities in running containers stay for too long and might get exploited.
Opportunity: Images are getting build at least nightly.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Low
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
Reduction of the attack surface
Risk and Opportunity
Risk: Components, dependencies, files or file access rights might have vulnerabilities, but the they are not needed.
Opportunity: Removal of not needed components, dependencies, files or file access rights. For container images the usage of distroless images is recommended.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
- hardening is missing in ISO 27001
- 14.2.1
Usage of a maximum lifetime for images
Risk and Opportunity
Risk: Vulnerabilities in images of running containers stay for too long and might get exploited. Long running containers have potential memory leaks. A compromised container might get killed by restarting the container (e.g. in case the attacker has not reached the persistence layer).
Opportunity: The periodically builded images are deployed minimum every 30 days (better hourly/daily/weekly). Meaning an image is not in production for longer than 30 days.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: High
Required resources (systems): Low
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
Usage of a short maximum lifetime for images
Risk and Opportunity
Risk: Vulnerabilities in running containers stay for too long and might get exploited.
Opportunity: The nightly builded images are deployed minimum every 1 day.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: High
Required resources (systems): Low
Additional Information
Implementation hints: - Sample concept:
(1) each container has a set lifetime and is killed / replaced with a new container multiple times a day where you have some form of a graceful replacement to ensure no (short) service outage will occur to the end users.
(2) twice a day a rebuild of images is done. The rebuilds are put into a automated testing pipeline. If the testing has no blocking issues the new images will be released for deployment during the next "restart" of a container. What has to be done, is to ensure the new containers are deployed in some canary deployment manner, this will ensure that if (and only if) something buggy has been introduced which breaks functionality the canary deployment will make sure the "older version" is being used and not the buggy newer one.
OWASP SAMM 2 Mapping: o-environment-management|B|1
ISO27001:2017 Controls Mapping:
Dimension Culture and Org.
Sub-Dimension Education and Guidance
Ad-Hoc Security trainings for software developers
Risk and Opportunity
Risk: Understanding security is hard and personnel needs to be trained on it. Otherwise, flaws like an SQL Injection might be introduced into the software which might get exploited.
Opportunity: Provide security awareness training for all personnel involved in software development Ad-Hoc.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: EG1-A - In case you do not have the budget to hire an external security expert, an option is to use the
OWASP Juice Shop on a "hacking Friday" - https://cheatsheetseries.owasp.org/
ISO27001:2017 Controls Mapping:
Security consulting on request
Risk and Opportunity
Risk: Not asking a security expert when questions regarding security appear might lead to flaws.
Opportunity: Security consulting to teams is given on request. The security consultants can be internal or external.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
- security consulting is missing in ISO 27001 may be
- 6.1.1
- 6.1.4
- 6.1.5
Each team has a security champion
Risk and Opportunity
Risk: No one feels directly responsible for security and the security champion does not have enough time to allocate to each team.
Opportunity: Each team defines an individual to be responsible for security. These individuals are often referred to as 'security champions'
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
Additional Information
Implementation hints: https://www.owasp.org/index.php/Security_Champions_Playbook
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
- security champions are missing in ISO 27001 most likely
- 7.2.1
- 7.2.2
Regular security training for all
Risk and Opportunity
Risk: Understanding security is hard.
Opportunity: Provide security awareness training for all personnel involved in software development on a regular basis like twice in a year for 1-3 days.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Implementation hints: - In case you do not have the budget to hire an external security expert, an option is to use the OWASP Juice Shop on a "hacking Friday"
- https://cheatsheetseries.owasp.org/
OWASP SAMM 1 Mapping: EG1-A
ISO27001:2017 Controls Mapping:
Regular security training of security champions
Risk and Opportunity
Risk: Understanding security is hard, even for security champions.
Opportunity: Regular security training of security champions.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Low
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
- security champions are missing in ISO 27001
- 7.2.2
Reward of good communication
Risk and Opportunity
Risk: Employees are not getting excited about security.
Opportunity: Good communication and transparency encourages cross-organisational support. Gamification of security is also known to help, examples include T-Shirts, mugs, cups, giftcards and 'High-Fives'.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
Additional Information
Implementation hints: - Enhance motivation can be performed with the distribution of pins as a reward, see OWASP Security Pins Project
- https://owaspsamm.org/presentations/OWASP_Top_10_Maturity_Categories_for_Security_Champions.pptx
ISO27001:2017 Controls Mapping:
- not required by ISO 27001
- interestingly enough A7.2.3 is requiring a process to handle misconduct but nothing to promote good behavior.
Conduction of build-it, break-it, fix-it contests
Risk and Opportunity
Risk: Understanding security is hard, even for security champions and the conduction of security training often focuses on breaking a component instead of building a component secure.
Opportunity: The build-it, break-it, fix-it contest allows to train people with security related roles like security champions the build, break and fix part of a secure application. This increases the learning of building secure components.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Implementation hints: https://builditbreakit.org/
ISO27001:2017 Controls Mapping:
Conduction of collaborative security checks with developers and system administrators
Risk and Opportunity
Risk: Security checks by external companies do not increase the understanding of an application/system for internal employees.
Opportunity: Periodically security reviews of source code (SCA), in which security SME, developers and operations are involved, are effective at increasing the robustness of software and the security knowledge of the teams involved.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: IR1-B
ISO27001:2017 Controls Mapping:
- Mutual review of source code is not explicitly required in ISO 27001 may be
- 7.2.2
- 12.6.1
- 12.7.1
Regular security training for everyone
Risk and Opportunity
Risk: Understanding security is hard, for internal as well as external employees.
Opportunity: Regular security training for everyone.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Low
Additional Information
Implementation hints: Often, external employees are not invited for interal trainings. This activity focuses on providing security trainings to internal as well as external employees. It is conducted every two weeks for around one hour.
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
Security-Lessoned-Learned
Risk and Opportunity
Risk: After an incident, a similar incident might reoccur.
Opportunity: Running a 'lessons learned' session after an incident helps drive continuous improvement. Regular meetings with security champions are a good place to share and discuss lessons learned.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: IM-3, ST-3, SR2-B
ISO27001:2017 Controls Mapping:
Aligning security in teams
Risk and Opportunity
Risk: The concept of Security Champions might suggest that only he/she is responsible for security. However, everyone in the project team should be responsible for security.
Opportunity: By aligning security SME with project teams, a higher security standard can be achieved.
Exploit details
Usefullness: Very High
Required knowledge: High (two disciplines)
Required time: Very High
Required resources (systems): Very Low
Additional Information
Implementation hints: Security SME are involved in discussion for requirements analysis, software design and sprint planning to provide guidance and suggestions.
OWASP SAMM 1 Mapping: EG2-B
ISO27001:2017 Controls Mapping:
Conduction of collaborative team security checks
Risk and Opportunity
Risk: Development teams limited insight over security practices.
Opportunity: Mutual security testing the security of other teams's project enhances security awareness and knowledge.
Exploit details
Usefullness: Low
Required knowledge: High (two disciplines)
Required time: High
Required resources (systems): Low
OWASP SAMM 1 Mapping: EG2-A
ISO27001:2017 Controls Mapping:
- Mutual scurity testing is not explicitly required in ISO 27001 may be
- 7.2.2
Conduction of war games
Risk and Opportunity
Risk: Understanding incident response plans during an incident is hard and ineffective.
Opportunity: War Games like activities help train for incidents. Security SMEs create attack scenarios in a testing environment enabling the trainees to learn how to react in case of an incident.
Exploit details
Usefullness: Low
Required knowledge: High (two disciplines)
Required time: Very High
Required resources (systems): Very High
ISO27001:2017 Controls Mapping:
- ware games are not explicitly required in ISO 27001 may be
- 7.2.2
- 16.1
- 16.1.5
Sub-Dimension Culture and Org.
Information security targets are communicated
Risk and Opportunity
Risk: Employees don't known their organisation security targets. Therefore security is not considered during development and administration as much as it should be.
Opportunity: Transparent and timely communication of the security targets by senior management is essential to ensure teams' buy-in and support.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: SM1-B
ISO27001:2017 Controls Mapping:
Creation of simple abuse stories
Risk and Opportunity
Risk: User stories mostly don't consider security implications. Security flaws are discovered too late in the development and deployment process.
Opportunity: Abuse stories are created during the creation of user stories.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 1 Mapping: TA2-A
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of project management
- 6.1.5
- may be part of risk assesment
- 8.1.2
Conduction of simple threat modelling on business level
Risk and Opportunity
Risk: Business related threats are discovered too late in the development and deployment process.
Opportunity: Threat modelling of business functionality is performed during the product backlog creation to facilitate early detection of security defects.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: TA1-A
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of risk assessment
- 8.2.1
- 14.2.1
Conduction of simple threat modelling on technical level
Risk and Opportunity
Risk: Technical related threats are discovered too late in the development and deployment process.
Opportunity: Threat modelling of technical features is performed during the product sprint planning.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: TA1-A
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of risk assessment
- 8.2.1
- 14.2.1
Conduction of advanced threat modelling
Risk and Opportunity
Risk: Inadequate identification of business and technical risks.
Opportunity: Threat modelling is performed by using reviewing user stories and producing security driven data flow diagrams.
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Low
OWASP SAMM 1 Mapping: TA2-B
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of risk assessment
- 8.2.1
- 14.2.1
Creation of advanced abuse stories
Risk and Opportunity
Risk: Simple user stories are not going deep enough. Relevant security considerations are performed. Security flaws are discovered too late in the development and deployment process
Opportunity: Advanced abuse stories are created as part of threat modelling activities.
Exploit details
Usefullness: High
Required knowledge: High (two disciplines)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Creation of simple abuse stories
OWASP SAMM 1 Mapping: TA2-A
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of project management
- 6.1.5
- may be part of risk assesment
- 8.1.2
Sub-Dimension Process
Definition of simple BCDR practices for critical components
Risk and Opportunity
Risk: In case of an emergency, like a power outage, DR actions to perform are not clear. This leads to reaction and remediation delays.
Opportunity: By understanding and documenting a business continuity and disaster recovery (BCDR) plan, the overall availability of systems and applications is increased. Success factors like responsibilities, Service Level Agreements, Recovery Point Objectives, Recovery Time Objectives or Failover must be fully documented and understood.
Exploit details
Usefullness: High
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Low
ISO27001:2017 Controls Mapping:
Approval by reviewing any new version
Risk and Opportunity
Risk: An individual might forget to implement security measures to protect source code or infrastructure components.
Opportunity: On each new version (e.g. Pull Request) of source code or infrastructure components a security peer review of the changes is performed (two eyes principle) and approval given by the reviewer.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: IR1-B
ISO27001:2017 Controls Mapping:
- peer review - four eyes principle is not explicitly required by ISO 27001
- 6.1.2
- 14.2.1
Definition of a change management process
Risk and Opportunity
Risk: The impact of a change is not controlled because these are not recorded or documented.
Opportunity: Each change of a system is automatically recorded and adequately logged.
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Very Low
ISO27001:2017 Controls Mapping:
Prevention of unauthorized installation
Risk and Opportunity
Risk: Unapproved components are used.
Opportunity: Components must be whitelisted. Regular scans on the docker infrastructure (e.g. cluster) need to be performed, to verify that only standardized base images are used.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: Example: All docker images used by teams need to be based on standard images.
Comments: By preventing teams from trying out new components, innovation might be hampered
ISO27001:2017 Controls Mapping:
Dimension Information Gathering
Sub-Dimension Monitoring
Simple application metrics
Risk and Opportunity
Risk: Attacks on an application are not recognized.
Opportunity: Gathering of application metrics helps to identify incidents like brute force attacks, login/logout.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Implementation hints: Prometheus
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
Simple system metrics
Risk and Opportunity
Risk: Without simple metrics analysis of incidents are hard. In case an application uses a lot of CPU from time to time, it is hard for a developer to find out the source with linux commands.
Opportunity: Gathering of system metrics helps to identify incidents and specially bottlenecks like in CPU usage, memory usage and hard disk usage.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Implementation hints: collectd
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
Alerting
Risk and Opportunity
Risk: Incidents are discovered after they happend.
Opportunity: Thresholds for metrics are set. In case the thresholds are reached, alarms are send out. Which should get attention due to the critically.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Very High
Required resources (systems): Very High
Additional Information
Dependencies: Visualized metrics
OWASP SAMM 1 Mapping: OE1-B
OWASP SAMM 2 Mapping: o-operational-management|B|3
ISO27001:2017 Controls Mapping:
Visualized metrics
Risk and Opportunity
Risk: Not visualized metrics lead to restricted usage of metrics.
Opportunity: Metrics are visualized in real time in a user friendly way.
Exploit details
Usefullness: Medium
Required knowledge: Very Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Dependencies: Simple application metrics, Simple system metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
Advanced availablity and stability metrics
Risk and Opportunity
Risk: Trends and advanced attacks are not detected.
Opportunity: Advanced metrics are gathered in relation to availability and stability. For example unplanned downtime's per year.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Low
Additional Information
Dependencies: Simple application metrics, Visualized metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
Advanced webapplication metrics
Risk and Opportunity
Risk: People are not looking into tests results. Vulnerabilities not recolonized, even they are detected by tools.
Opportunity: All defects from the dimension Test- and Verification are instrumented.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Low
Additional Information
Dependencies: Simple application metrics, Visualized metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
Deactivation of unused metrics
Risk and Opportunity
Risk: High resources are used while gathering unused metrics.
Opportunity: Deactivation of unused metrics helps to free resources.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Very High
Required resources (systems): Very High
Additional Information
Dependencies: Visualized metrics
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.1.3
Grouping of metrics
Risk and Opportunity
Risk: The analysis of metrics takes long.
Opportunity: Meaningful grouping of metrics helps to speed up analysis.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: High
Required resources (systems): Low
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.1.3
Targeted alerting
Risk and Opportunity
Risk: People are bored (ignorant) of incident alarm messages, as they are not responsible to react.
Opportunity: By the definition of target groups for incidents people are only getting alarms for incidents they are in charge for.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Very High
Required resources (systems): Very High
Additional Information
Dependencies: Alerting
OWASP SAMM 1 Mapping: OE1-B
OWASP SAMM 2 Mapping: o-operational-management|B|3
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 16.1.5
Coverage and control metrics
Risk and Opportunity
Risk: The effectiveness of configuration, patch and vulnerability management is unknown.
Opportunity: Usage of Coverage- and control-metrics to show the effectiveness of the security program. Coverage is the degree in
which a specific security control for a specific target group is applied with all resources.
The control degree shows the actual application of security standards and security-guidelines. Examples are gathering information on anti-virus, anti-rootkits, patch management, server configuration and vulnerability management.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): Low
Additional Information
Dependencies: Visualized metrics
Implementation hints: https://ht.transparencytoolkit.org/FileServer/FileServer/OLD%20Fileserver/books/SICUREZZA/Addison.Wesley.Security.Metrics.Mar.2007.pdf
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
Defence metrics
Risk and Opportunity
Risk: IDS/IPS systems like packet- or application-firewalls detect and prevent attacks. It is not known how many attacks has been detected and blocked.
Opportunity: Gathering of defence metrics like TCP/UDP sources enables to assume the geographic location of the request.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): Low
Additional Information
Dependencies: Visualized metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
Metrics are combined with tests
Risk and Opportunity
Risk: Changes might cause high load due to programming errors.
Opportunity: Metrics during tests helps to identify programming errors.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Low
Additional Information
Dependencies: Grouping of metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
Screens with metric visualization
Risk and Opportunity
Risk: Security related information is discovered too late during an incident.
Opportunity: By having an internal accessible screen with a security related dashboards helps to visualize incidents.
Exploit details
Usefullness: Very High
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Dependencies: Grouping of metrics
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 16.1.5
Sub-Dimension Logging
Centralized system logging
Risk and Opportunity
Risk: Local stored system logs can be unauthorized manipulated by attackers or might be corrupt after an incident. In addition, it is hard to perform a aggregation of logs.
Opportunity: By using centralized logging logs are protected against unauthorized modification.
Exploit details
Usefullness: Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: rsyslog, Logstash
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.4.1
Logging of security events
Risk and Opportunity
Risk: No track of security-relevant events makes it harder to analyse an incident.
Opportunity: Security-relevant events like login/logout or creation, change, deletion of users should be logged.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Dependencies: PII logging concept
Implementation hints: rsyslog, logstash, fluentd, bash
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
PII logging concept
Risk and Opportunity
Risk: Personal identifiable information (PII) is logged and the law of GDPR is not followed.
Opportunity: A concept how to log PII is documented and applied.
Exploit details
Usefullness: Very Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: rsyslog, logstash, fluentd, bash
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.4.1
- 18.1.1
Visualized logging
Risk and Opportunity
Risk: System and application protocols are not visualized properly which leads to no or very limited logging assessment. Specially developers might have difficulty to read applications logs with unusually tools like the Linux tool 'cat'
Opportunity: Protocols are visualized in a simple to use real time monitoring system. The GUI gives the ability to search for special attributes in the protocol.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies: Centralized system logging, Centralized application logging
Implementation hints: ELK-Stack
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.4.1
Centralized application logging
Risk and Opportunity
Risk: Local stored logs can be unauthorized manipulated by attackers with system access or might be corrupt after an incident. In addition, it is hard to perform an correlation of logs. This leads attacks, which can be performed silently.
Opportunity: A centralized logging system is used and applications logs (including application exceptions) are shipped to it.
Exploit details
Usefullness: Very High
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Dependencies: Visualized logging, Alerting
OWASP SAMM 1 Mapping: SA2-B
OWASP SAMM 2 Mapping: o-incident-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.4.1
Correlation of security events
Risk and Opportunity
Risk: Detection of security related events with hints on different systems/tools/metrics is not possible.
Opportunity: Events are correlated on one system. For example the correlation and visualisation of failed login attempts combined with successful login attempts.
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: High
Required resources (systems): High
Additional Information
Dependencies: Visualized logging, Alerting
OWASP SAMM 2 Mapping: o-incident-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.4.1
Dimension Infrastructure
Sub-Dimension Infrastructure Hardening
Segmented networks for virtual environments
Risk and Opportunity
Risk: Virtual environments in default settings are able to access other virtual environments on the network stack. By using virtual machines, it is often possible to connect to other virtual machines. By using docker, one bridge is used by default so that all containers on one host can communicate with each other.
Opportunity: The communication between virtual environments is regulated.
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies:
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
Simple access control for systems
Risk and Opportunity
Risk: Attackers a gaining access to internal systems and application interfaces
Opportunity: All internal systems are using simple authentication
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies: Defined deployment process
Implementation hints: HTTP-Basic Authentication, TLS, VPN
OWASP SAMM 1 Mapping: EH1-B
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
Usage of test and production environments
Risk and Opportunity
Risk: Security tests are not running regularly because test environments are missing
Opportunity: A production and a production like envirnoment is used
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very High
Additional Information
Dependencies: Defined deployment process
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.1.4
- 17.2.1
Applications are running in virtualized environments
Risk and Opportunity
Risk: Through a vulnerability in one service on a server, the attacker gains access to other services running on the same server.
Opportunity: Applications are running in a dedicated and isolated virtualized environments.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very High
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- virtual environments are not explicitly covered by ISO 27001 - too specific
- 13.1.3
Checking the sources of used libraries
Risk and Opportunity
Risk: Application and system libraries can have implementation flaws or deployment flaws.
Opportunity: Each libraries source is checked to have a trusted source.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: SA1-A
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
The cluster is hardened
Risk and Opportunity
Risk: Using default configurations for a cluster environment leads to potential risks.
Opportunity: Harden cluster environments according to best practices.
Exploit details
Usefullness: High
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 13.1.3
Usage of security by default for components
Risk and Opportunity
Risk: Components (images, libraries, applications) are not hardened.
Opportunity: Hardening of components is important, specially for image on which other teams base on. Hardening should be performed on the operation system and on the services inside (e.g. Nginx or a Java-Application).
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: For applications: Check default encoding, managing secrets, crypto, authentication
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
Virtual environments are limited
Risk and Opportunity
Risk: Denial of service (internally by an attacker or unintentionally by a bug) on one service effects other services
Opportunity: All virtual environments are using resource limits on hard disks, memory and CPU
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Medium
Additional Information
Dependencies: Applications are running in virtualized environments
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- virtual environments are not explicitly covered by ISO 27001 - too specific
- 12.1.3
- 13.1.3
- 17.2.1
2FA
Risk and Opportunity
Risk: One factor authentication is more vulnerable to brute force attacks and is considered less secure.
Opportunity: Two factor authentication for all privileged accounts on systems and applications
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Medium
Additional Information
Implementation hints: Smartcard, YubiKey, SMS, TOTP
OWASP SAMM 2 Mapping: TODO
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 9.1.1
- 9.4.2
- 14.2.5
Immutable Infrastructure
Risk and Opportunity
Risk: The availability of IT systems might be disturbed due to components failures
Opportunity: Redundancies in the IT systems
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Infrastructure as Code, Usage of
Semantic Versioning for components like project images
Implementation hints: Remove direct access to infrastructure
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 17.2.1
Infrastructure as Code
Risk and Opportunity
Risk: No tracking of changes in systems might lead to errors in the configuration. In additions, it might lead to unauthorized changes. An examples is jenkins.
Opportunity: Systems are setup by code. A full environment can be provisioned. In addition, software like Jenkins 2 can be setup and configured in in code too. The code should be stored in a version control system.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): High
Additional Information
Implementation hints: GitOps, Ansible, Chef, Puppet, Jenkinsfile
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.1.1
- 12.1.2
Role based authentication and authorization
Risk and Opportunity
Risk: Everyone is able to get unauthorized access to information on systems or to modify information unauthorized on systems.
Opportunity: The usage of a (role based) access control helps to restrict system access to authorized users.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Defined deployment process, Defined build process
Implementation hints: Directory Service, Plugins
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
versioning
Risk and Opportunity
Risk: Changes to production systems can not be undone.
Opportunity: versioning of artifacts related to production environments. For example Jenkins configuration, docker images, system provisioning code.
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies: Defined deployment process
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.1.1
- 12.1.2
- 14.2.2
Limitation of system calls in virtual environments
Risk and Opportunity
Risk: System calls in virtual environments like docker can lead to privilege escalation.
Opportunity: System calls in virtual environments like docker are audited and limited.
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies: Applications are running in virtualized environments
Implementation hints: seccomp, strace
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- system hardenong is not explicitly covered by ISO 27001 - too specific
Microservice-Architecture
Risk and Opportunity
Risk: Monolithic applications are hard to test.
Opportunity: A microservice-architecture helps to have small components, which are more easy to test.
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Very High
Required resources (systems): Very High
OWASP SAMM 1 Mapping: SA2
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
Production near environments are used by developers
Risk and Opportunity
Risk: In case an errors occurs in production, the developer need to be able to create a production near environment on a local development environment.
Opportunity: Usage of infrastructure as code helps to create a production near environment. The developer needs to be trained in order to setup a local development environment. In addition, it should be possible to create production like test data. Often personal identifiable information is anonymized in order to comply with data protection laws.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
Additional Information
Dependencies: Defined deployment process, Infrastructure as Code
OWASP SAMM 1 Mapping: SA1
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
Usage of a chaos monkey
Risk and Opportunity
Risk: Due to manuel changes on a system, they are not replaceable anymore. In case of a crash it might happen that a planned redundant system is unavailable. In addition, it is hard to replay manual changes.
Opportunity: A randomized periodically shutdown of systems makes sure, that nobody will perform manual changes to a system.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Very High
Required resources (systems): Very High
OWASP SAMM 2 Mapping: o-environment-management|A|1
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 17.1.3
Dimension Test and Verification
Sub-Dimension Dynamic depth for applications
Simple Scan
Risk and Opportunity
Risk: Deficient security tests are performed. Simple vulnerabilities are not detected and missing security configurations (e.g. headers) are not set. Fast feedback is not given.
Opportunity: A simple scan is performed to get a security baseline. In case the test is done in under 10 minutes, it should be part of the build and deployment process.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
OWASP SAMM 1 Mapping: ST2
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
Coverage of client side dynamic components
Risk and Opportunity
Risk: Parts of the service are not covered during the scan, because JavaScript is not getting executed. Therefore, the co
Opportunity: Usage of a spider which executes dynamic content like JavaScript, e.g. via Selenium.
Exploit details
Usefullness: High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Usage of different roles
Implementation hints: Ajax Spider
OWASP SAMM 1 Mapping: ST-2
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Usage of different roles
Risk and Opportunity
Risk: Parts of the service are not covered during the scan, because a login is not performed.
Opportunity: Integration of authentication with all roles used in the service.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Simple Scan
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 14.2.3
- 14.2.8
Coverage of hidden endpoints
Risk and Opportunity
Risk: Hidden endpoints of the service are not getting tracked.
Opportunity: Hidden endpoints are getting detected and included in the vulnerability scan.
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Usage of different roles
Implementation hints: cURL, OpenAPI
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
Coverage of more input vectors
Risk and Opportunity
Risk: Parts of the service are not covered. For example specially formatted or coded parameters are not getting detected as parameter (e.g. parameters in REST-like URLs, parameters in JSON-Format or base64-coded parameters).
Opportunity: Special parameter and special encodings are defined, so that they get fuzzed by the used vulnerability scanners.
Exploit details
Usefullness: High
Required knowledge: Very High (three or more disciplines)
Required time: Very High
Required resources (systems): Very Low
Additional Information
Dependencies: Usage of different roles
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
Coverage of sequential operations
Risk and Opportunity
Risk: Sequential operations like workflows (e.g. login -> put products in the basket
Opportunity: Sequential operations are defined and checked by the vulnerability scanner in the defined order.
Exploit details
Usefullness: Very High
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
Dependencies: Usage of different roles
Implementation hints: cURL
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Usage of multiple scanners
Risk and Opportunity
Risk: Each vulnerability scanner has different opportunities. By using just one scanner, some vulnerabilities might not be found.
Opportunity: Usage of multiple spiders and scanner enhance the coverage and the vulnerabilities.
Exploit details
Usefullness: Very Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very High
Additional Information
Dependencies: Usage of different roles
Implementation hints: SecureCodeBox
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Coverage analysis
Risk and Opportunity
Risk: Parts of the service are not still covered.
Opportunity: Check that there are no missing paths in the application with coverage-tools.
Exploit details
Usefullness: High
Required knowledge: High (two disciplines)
Required time: Very High
Required resources (systems): Medium
Additional Information
Implementation hints: OWASP Code Pulse
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- part of periodic review, PDCA
Coverage of service to service communication
Risk and Opportunity
Risk: Service to service communication is not covered.
Opportunity: Service to service communication is dumped and checked.
Exploit details
Usefullness: Medium
Required knowledge: High (two disciplines)
Required time: Very High
Required resources (systems): Low
Additional Information
Dependencies: Simple Scan
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Sub-Dimension Static depth for applications
Test of server side components with known vulnerabilities
Risk and Opportunity
Risk: Server side components might have vulnerabilities.
Opportunity: Tests for known vulnerabilities in server side components (e.g. backend/middleware) are performed.
Exploit details
Usefullness: Very High
Required knowledge: Very Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: OWASP Dependency Check
OWASP SAMM 1 Mapping: SA
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Static analysis for important server side components
Risk and Opportunity
Risk: Important parts in the source code of the middleware have vulnerabilities.
Opportunity: Usage of static analysis tools for important parts of the middleware are used. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: eslint, FindSecurityBugs, jsprime
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Static analysis for important client side components
Risk and Opportunity
Risk: Important parts in the source code of the frontend have vulnerabilities.
Opportunity: Usage of static analysis tools for important parts of the frontend are used. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Test of client side components with known vulnerabilities
Risk and Opportunity
Risk: Client side components might have vulnerabilities.
Opportunity: Tests for known vulnerabilities in components of the frontend are performed.
Exploit details
Usefullness: Low
Required knowledge: Very Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Exclusion of source code duplicates
Risk and Opportunity
Risk: Duplicates in source code might influence the stability of the application.
Opportunity: Automatic Detection and manual removal of duplicates in source code.
Exploit details
Usefullness: Very Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Dependencies: Defined build process
Implementation hints: PMD
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 14.2.1
- 14.2.5
Static analysis for all components/libraries
Risk and Opportunity
Risk: Used components like libraries and legacy applications might have vulnerabilities
Opportunity: Usage of a static analysis for all used components.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: High
Required resources (systems): Low
Additional Information
Dependencies: Static analysis for important client side components, Static analysis for important server side components
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Static analysis for all self written components
Risk and Opportunity
Risk: Parts in the source code of the frontend or middleware have vulnerabilities.
Opportunity: Usage of static analysis tools for all parts of the middleware and frontend. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Dependencies: Static analysis for important client side components, Static analysis for important server side components
Implementation hints: eslint, FindSecurityBugs, jsprime
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Stylistic analysis
Risk and Opportunity
Risk: False source code indenting might lead to vulnerabilities.
Opportunity: Analysis of compliance to style guides of the source code ensures that source code indenting rules are met.
Exploit details
Usefullness: Very Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: PMD
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Usage of multiple analysers
Risk and Opportunity
Risk: Each vulnerability analyser has different opportunities. By using just one analyser, some vulnerabilities might not be found.
Opportunity: Usage of multiple static tools to find more vulnerabilities.
Exploit details
Usefullness: Very Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very High
Additional Information
Dependencies: Test of server side components with known vulnerabilities, Test of client side components with known vulnerabilities, Static analysis for all self written components
OWASP SAMM 2 Mapping: v-security-testing|A|3
ISO27001:2017 Controls Mapping:
Sub-Dimension Test-Intensity
Default settings for intensity
Risk and Opportunity
Risk: Time pressure and ignorance might lead to false predictions for the test intensity.
Opportunity: The intensity of the used tools are not modified to safe time.
Exploit details
Usefullness: Very Low
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
High test intensity
Risk and Opportunity
Risk: A too small intensity or a too high confidence might lead to not visible vulnerabilities.
Opportunity: A deep scan with high test intensity and a low confidence threshold is performed.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very High
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Deactivating of unneeded tests
Risk and Opportunity
Risk: As tools cover a wide range of different vulnerability tests, they might not match the used components. Therefore, they need more time and resources as they need and the feedback loops takes too much time.
Opportunity: Unneeded tests are deactivated. For example in case the service is using a Mongo database and no mysql database, the dynamic scan doesn't need to test for sql injections.
Exploit details
Usefullness: Very Low
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Creation and application of a testing concept
Risk and Opportunity
Risk: Scans might use a too small or too high test intensity.
Opportunity: A testing concept considering the amount of time per scan/intensity is created and applied. A dynamic analysis needs more time than a static analysis. The dynamic scan, depending on the test intensity might be performed on every commit, every night, every week or once in a month.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Medium
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
- 14.2.2
- 14.2.3
- 14.2.1
- 14.2.5
- 12.6.1
Sub-Dimension Consolidation
Definition of quality gates
Risk and Opportunity
Risk: Improper examination of vulnerabilities leads to no visibility at all.
Opportunity: Quality gates for found vulnerabilities are defined. In the start it is important to not overload the security analyst, therefore the recommendation is to start with alerting of high cirital vulnerabilities.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: See other actions, e.g. "Treatment of defects with severity high".
OWASP SAMM 1 Mapping: IR2-A
OWASP SAMM 2 Mapping: i-defect-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 16.1.4
Simple false positive treatment
Risk and Opportunity
Risk: As false positive occure during each test, all vulnerabilities might be ignored.
Opportunity: False positives are suppressed so they will not show up on the next tests again. Most security tools have the possibility to suppress false positives. A Vulnerability Management System might be used.
Exploit details
Usefullness: High
Required knowledge: Very Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 1 Mapping: IR2-A
OWASP SAMM 2 Mapping: i-defect-management|A|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 16.1.6
Treatment of defects with severity high or higher
Risk and Opportunity
Risk: Vulnerabilities with severity high or higher are not visible.
Opportunity: Vulnerabilities with severity high or higher are added to the quality gate.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Comments: False positive analysis, specially for static analysis, is time consuming.
OWASP SAMM 2 Mapping: i-defect-management|B|2
ISO27001:2017 Controls Mapping:
Simple visualization of defects
Risk and Opportunity
Risk: The security level of a component is not visible. Therefore, the motivation to enhance the security is not give.
Opportunity: Vulnerabilities are simple visualized.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: i-defect-management|B|1
ISO27001:2017 Controls Mapping:
Integration of vulnerability issues into the development process
Risk and Opportunity
Risk: To read console output of the build server to search for vulnerabilities might be difficult. Also, to check a vulnerability management system might not be a daily task for a developer.
Opportunity: Vulnerabilities are tracked in the teams issue system (e.g. jira).
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Implementation hints: At SAST (Static Application Security Testing): Server-side / client-side teams can easily be recorded. With microservice architecture, individual microservices can be used usually Teams. At DAST (Dynamic Application Security Testing): vulnerabilities are classified and can be assigned to server-side and client-side teams.
OWASP SAMM 2 Mapping: i-defect-management|B|2
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001 - too specific
- 16.1.4
- 16.1.5
- 16.1.6
Treatment of defects with severity middle
Risk and Opportunity
Risk: Vulnerabilities with severity middle are not visible.
Opportunity: Vulnerabilities with severity middle are added to the quality gate.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
Comments: False positive analysis, specially for static analysis, is time consuming.
OWASP SAMM 2 Mapping: i-defect-management|B|2
ISO27001:2017 Controls Mapping:
Advanced visualization of defects
Risk and Opportunity
Risk: Correlation of the vulnerabilities of different tools to have an overview of the the overall security level per component/project/team is not given.
Opportunity: Findings are visualized per component/project/team.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: High
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: defect-management|B|1
ISO27001:2017 Controls Mapping:
Reproducible defect tickets
Risk and Opportunity
Risk: Vulnerability descriptions are hard to understand by staff from operations and development.
Opportunity: Vulnerabilities include the test procedure to give the staff from operations and development the ability to reproduce vulnerabilities. This enhances the understanding of vulnerabilities and therefore the fix have a higher quality.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: i-defect-management|B|2
ISO27001:2017 Controls Mapping:
Treatment of all defects
Risk and Opportunity
Risk: Vulnerabilities with severity low are not visible.
Opportunity: All vulnerabilities are added to the quality gate.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very Low
OWASP SAMM 2 Mapping: i-defect-management|B|2
ISO27001:2017 Controls Mapping:
Usage of a vulnerability management system
Risk and Opportunity
Risk: Maintenance of false positives in each tool enforces a high workload. In addition a correlation of the same finding from different tools is not possible.
Opportunity: Aggregation of vulnerabilities in one tool reduce the workload to mark false positives.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: i-defect-management|B|1
ISO27001:2017 Controls Mapping:
- 12.6.1
- 16.1.3
- 16.1.4
- 16.1.5
- 16.1.6
Sub-Dimension Application tests
Security unit tests for important components
Risk and Opportunity
Risk: Vulnerabilities are rising due to code changes.
Opportunity: Usage of unit tests to test important security related features like authentication and authorization.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: High
Required resources (systems): Low
Additional Information
Comments: The integration of module tests takes place during development instead, it highlights vulnerabilities in sub-routines, functions, modules, libraries etc. checked.
OWASP SAMM 1 Mapping: ST2-B
OWASP SAMM 2 Mapping: v-security-testing|B|3
ISO27001:2017 Controls Mapping:
Security integration tests for important components
Risk and Opportunity
Risk: Vulnerabilities are rising due to code changes in a complex microservice environment.
Opportunity: Implementation of essential security related integration tests. For example for authentication and authorization.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: High
Required resources (systems): Low
Additional Information
Implementation hints: HttpUnit
OWASP SAMM 1 Mapping: ST2-B
OWASP SAMM 2 Mapping: v-security-testing|B|3
ISO27001:2017 Controls Mapping:
High coverage of security related module and integration tests
Risk and Opportunity
Risk: Vulnerabilities are rising due to code changes in a complex microservice environment in not important components.
Opportunity: Implementation of security related tests via unit tests and integration tests. Including the test of libraries, in case the are not tested already.
Exploit details
Usefullness: Medium
Required knowledge: Very High (three or more disciplines)
Required time: Very High
Required resources (systems): Medium
OWASP SAMM 1 Mapping: ST2-B
OWASP SAMM 2 Mapping: v-security-testing|B|3
ISO27001:2017 Controls Mapping:
Smoke Test
Risk and Opportunity
Risk: During a deployment an error might happen which leads to non-availability of the system, a part of the system or a feature.
Opportunity: Integration tests are performed against the production environment after each deployment.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
Dependencies: Defined deployment process
OWASP SAMM 1 Mapping: ST2-B
OWASP SAMM 2 Mapping: v-security-testing|B|3
ISO27001:2017 Controls Mapping:
Sub-Dimension Dynamic depth for infrastructure
Test network segmentation
Risk and Opportunity
Risk: Wrong or no network segmentation of pods makes it easyer for an attacker to access a database and extract or modify data.
Opportunity: Integration of fine granulated network segmenation (also between pods in the same namespace)
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Test of the configuration of cloud environments
Risk and Opportunity
Risk: Standard hardening practices for cloud environments are not performed leading to vulnerabilities.
Opportunity: With the help of tools the configuration of virtual environments are tested.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 1 Mapping: EH2-B
ISO27001:2017 Controls Mapping:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
Weak password test
Risk and Opportunity
Risk: Weak passwords in components like applications or systems, specially for privileged accounts, lead to take over of that account.
Opportunity: Automatic brute force attacks are performed. Specially the usage of standard accounts like 'admin' and employee user-ids is recommended.
Exploit details
Usefullness: Very Low
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
Implementation hints: HTC Hydra
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Load tests
Risk and Opportunity
Risk: As it is unknown how many requests the systems and applications can serve, due to an unexpected load the availability is disturbed.
Opportunity: Load test against the production system or a production near system is performed.
Exploit details
Usefullness: Medium
Required knowledge: Medium (two disciplines)
Required time: Low
Required resources (systems): Very High
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
Sub-Dimension Static depth for infrastructure
Stored Secrets
Risk and Opportunity
Risk: Stored secrets in git history, in container images or directly in code shouldn't exists because they might be read unauthorized.
Opportunity: Test for secrets in code, container images and history
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
- vcs usage is not explicitly covered by ISO 27001 - too specific
- 9.4.3
- 10.1.2
Test cluster deployment resources
Risk and Opportunity
Risk: The deployment configuration (e.g. kubernetes deployment resources) might contain unsecured configurations.
Opportunity: Test the deployment configuration for virtualized environments for unsecured configurations.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
Test the configuration of cloud environments
Risk and Opportunity
Risk: Standard hardening practices for cloud environments are not performed leading to vulnerabilities.
Opportunity: With the help of tools the configuration of virtual environments are tested.
Exploit details
Usefullness: High
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 1 Mapping: EH2-B
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
- system hardening is not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
Test the definition of virtualized environments
Risk and Opportunity
Risk: The definition of virtualized environments (e.g. via Dockerfile) might contains unsecure configurations.
Opportunity: Test the definition of virtualized environments for unsecured configurations.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
- system hardening, virtual environments are not explicitly covered by ISO 27001 - too specific
- 12.6.1
- 14.2.3
- 14.2.8
- 14.2.1
Check for image lifetime
Risk and Opportunity
Risk: Old container images in production indicate that patch management is not performed and therefore vulnerabilities might exists.
Opportunity: Check the image age of containers in production.
Exploit details
Usefullness: Low
Required knowledge: Low (one discipline)
Required time: Very Low
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
Check for malware
Risk and Opportunity
Risk: Third party might include malware. Ether due to the maintainer (e.g. typo squatting of an image name and using the wrong image) or by an attacker on behalf of the maintainer with stolen credentials.
Opportunity: Check for malware in components (e.g. container images, VM baseline images, libaries).
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Low
Required resources (systems): Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Check for new image version​
Risk and Opportunity
Risk: When a new version of an image is available, it might fixes security vulnerabilities.
Opportunity: Check for new images of containers in production.
Exploit details
Usefullness: Low
Required knowledge: Medium (two disciplines)
Required time: Medium
Required resources (systems): Very Low
Additional Information
OWASP SAMM 2 Mapping: v-security-testing|A|2
ISO27001:2017 Controls Mapping:
Test of infrastructure components for known vulnerabilities
Risk and Opportunity
Risk: Infrastructure components might have vulnerabilities.
Opportunity: Test for known vulnerabilities in infrastructure components. Often, the only way to respond to known vulnerabilities in operating system packages is to accept the risk and wait for a patch. As the patch needs to be applied fast when it is available, this activity depends on 'Usage of a maximum life for images'.
Exploit details
Usefullness: Very Low
Required knowledge: Low (one discipline)
Required time: Very High
Required resources (systems): Low
Additional Information
Dependencies: Usage of a maximum lifetime for images
Implementation hints: - Anchore.io
- Clair
- OpenSCAP
- Vuls
OWASP SAMM 2 Mapping: v-security-testing|A|1
ISO27001:2017 Controls Mapping:
