Merge pull request #15 from vbakke/feat/descriptions-enhancement

Suggested improvements, and spelling corrections

Author: wurstbrot

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -58,15 +58,18 @@ Culture and Organization:
       comments: ""
     Definition of simple BCDR practices for critical components:
       uuid: c72da779-86cc-45b1-a339-190ce5093171
+      description:
+        A _Business Continuity and Disaster Recovery_ (BCDR) is a plan and a process
+        that helps a business to return to normal operations if a disaster occurs.
       risk:
-        In case of an emergency, like a power outage, DR actions to perform are
-        not clear. This leads to reaction and remediation delays.
+        If the disaster recovery actions are not clear, you risk slow reaction and remediation delays.
+        This applies to cyber attacks as well as natural emergencies, such as a power outage.
       measure:
         By understanding and documenting a business continuity and disaster
         recovery (BCDR) plan, the overall availability of systems and applications
         is increased. Success factors like responsibilities, Service Level Agreements,
         Recovery Point Objectives, Recovery Time Objectives or Failover must be fully
-        documented and understood.
+        documented and understood by the people involved in the recovery.
       difficultyOfImplementation:
         knowledge: 4
         time: 3

src/assets/YAML/default/Implementation/ApplicationHardening.yaml

@@ -55,10 +55,10 @@ Implementation:
       risk:
         The generation of interpreter directives from user-provided data poses difficulties and can introduce vulnerabilities to injection attacks.
       measure: |
-        Implementing contextualized encoding fpr the next interpreter, such as employing object-relational mapping tools 
+        Implementing contextualized encoding for the next interpreter, such as employing object-relational mapping tools 
         or utilizing prepared statements, nearly removes the threat of injection vulnerabilities.
         
-        Also take into account a a secure by default UI framework, which performs automatic contextual encoding of outputs with potential malicious user input (e.g. angular).
+        Also take into account a secure by default UI framework, which performs automatic contextual encoding of outputs with potential malicious user input (e.g. angular).
       difficultyOfImplementation:
         knowledge: 2
         time: 2

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -510,12 +510,12 @@ Implementation:
       uuid: ad23be9c-5661-4f1f-81a3-5a5dc7061629
       risk:
         Evil actors might be able to perform a man in the middle attack and sniff
-        confidential information (e.g. authentication factors like passwords)
+        confidential information (e.g. authentication factors like passwords).
       measure: |-
         By using encryption at the edge of traffic in transit, it is impossible
         or at least harder to sniff credentials or information being outside of the organization.
       
-        Useage of standard protocols like HTTPS is recommended.
+        Using standard secure protocols like HTTPS is recommended.
       difficultyOfImplementation:
         knowledge: 2
         time: 2

src/assets/YAML/default/TestAndVerification/Consolidation.yaml

@@ -23,7 +23,7 @@ Test and Verification:
       dependsOn:
         - uuid:38d1bd10-7b5f-4ae1-868c-0ec813285425 # Fix based on severity
         #- uuid:3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO
-        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f #iventory of apps
+        - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components
       implementation:
       references:
         samm2:
@@ -141,7 +141,7 @@ Test and Verification:
         As false positive occur during each test, all vulnerabilities might be
         ignored. Specially, if tests are automated an run daily.
       measure: |-
-        Findings from security tests must be triaged and outcomes persistend/documented to:
+        Findings from security tests must be triaged and outcomes persisted/documented to:
           - Prevent re-analysis of known issues in subsequent test runs
           - Track accepted risks vs false positives
           - Enable consistent decision-making across teams
@@ -228,7 +228,7 @@ Test and Verification:
           - 8.8
           - 5.25
       tags: ["vuln-action", "defect-management"]
-      comments: ""#
+      comments: ""
     Treatment of defects with severity high or higher:
       uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
       risk: Vulnerabilities with severity high or higher are not visible.