|
| 1 | +## DSOMM Activity Dependencies |
| 2 | + |
| 3 | +The activities in this DSOMM Model have the following dependencies. |
| 4 | + |
| 5 | +```mermaid |
| 6 | +graph LR |
| 7 | +
|
| 8 | +0(L2 Pinning of artifacts) |
| 9 | +1(L1 Defined build process) |
| 10 | +2(L2 SBOM of components) |
| 11 | +3(L3 Signing of code) |
| 12 | +4(L5 Signing of artifacts) |
| 13 | +5(L1 Defined deployment process) |
| 14 | +6(L1 Inventory of production components) |
| 15 | +7(L2 Inventory of production artifacts) |
| 16 | +8(L3 Handover of confidential parameters) |
| 17 | +9(L2 Environment depending configuration parameters secrets) |
| 18 | +10(L3 Inventory of production dependencies) |
| 19 | +11(L3 Rolling update on deployment) |
| 20 | +12(L4 Same artifact for environments) |
| 21 | +13(L4 Usage of feature toggles) |
| 22 | +14(L5 Blue/Green Deployment) |
| 23 | +15(L4 Smoke Test) |
| 24 | +16(L2 Automated merge of automated PRs) |
| 25 | +17(L1 Automated PRs for patches) |
| 26 | +18(L3 Automated deployment of automated PRs) |
| 27 | +19(L3 Creation of simple abuse stories) |
| 28 | +20(L1 Conduction of simple threat modeling on technical level) |
| 29 | +21(L3 Creation of threat modeling processes and standards) |
| 30 | +22(L4 Conduction of advanced threat modeling) |
| 31 | +23(L5 Creation of advanced abuse stories) |
| 32 | +24(L2 Regular security training of security champions) |
| 33 | +25(L2 Each team has a security champion) |
| 34 | +26(L2 Determining the protection requirement) |
| 35 | +27(L2 App. Hardening Level 1) |
| 36 | +28(L1 App. Hardening Level 1 50%) |
| 37 | +29(L3 App. Hardening Level 2 75%) |
| 38 | +30(L4 App. Hardening Level 2) |
| 39 | +31(L5 App. Hardening Level 3) |
| 40 | +32(L1 Versioning) |
| 41 | +33(L3 Block force pushes) |
| 42 | +34(L2 Require a PR before merging) |
| 43 | +35(L3 Dismiss stale PR approvals) |
| 44 | +36(L3 Require status checks to pass) |
| 45 | +37(L1 Simple access control for systems) |
| 46 | +38(L2 Backup) |
| 47 | +39(L2 MFA) |
| 48 | +40(L1 MFA for admins) |
| 49 | +41(L2 Usage of test and production environments) |
| 50 | +42(L2 Virtual environments are limited) |
| 51 | +43(L2 Applications are running in virtualized environments) |
| 52 | +44(L3 Immutable infrastructure) |
| 53 | +45(L3 Infrastructure as Code) |
| 54 | +46(L3 Limitation of system events) |
| 55 | +47(L3 Audit of system events) |
| 56 | +48(L3 Role based authentication and authorization) |
| 57 | +49(L3 Usage of security by default for components) |
| 58 | +50(L3 WAF baseline) |
| 59 | +51(L1 Context-aware output encoding) |
| 60 | +52(L4 Production near environments are used by developers) |
| 61 | +53(L4 WAF medium) |
| 62 | +54(L5 WAF Advanced) |
| 63 | +55(L2 Centralized application logging) |
| 64 | +56(L2 Alerting) |
| 65 | +57(L3 Visualized logging) |
| 66 | +58(L1 Centralized system logging) |
| 67 | +59(L5 Correlation of security events) |
| 68 | +60(L2 Visualized metrics) |
| 69 | +61(L2 Monitoring of costs) |
| 70 | +62(L1 Simple application metrics) |
| 71 | +63(L1 Simple system metrics) |
| 72 | +64(L3 Advanced availability and stability metrics) |
| 73 | +65(L3 Deactivation of unused metrics) |
| 74 | +66(L3 Targeted alerting) |
| 75 | +67(L4 Advanced app. metrics) |
| 76 | +68(L4 Coverage and control metrics) |
| 77 | +69(L4 Defense metrics) |
| 78 | +70(L3 Filter outgoing traffic) |
| 79 | +71(L4 Screens with metric visualization) |
| 80 | +72(L3 Grouping of metrics) |
| 81 | +73(L5 Metrics are combined with tests) |
| 82 | +74(L2 Patching mean time to resolution via PR) |
| 83 | +75(L3 Generation of response statistics) |
| 84 | +76(L3 Usage of a vulnerability management system) |
| 85 | +77(L4 Patching mean time to resolution via production) |
| 86 | +78(L2 Artifact-based false positive treatment) |
| 87 | +79(L1 Simple false positive treatment) |
| 88 | +80(L3 Fix based on accessibility) |
| 89 | +81(L1 Treatment of defects with severity high or higher) |
| 90 | +82(L3 Global false positive treatment) |
| 91 | +83(L3 Exploit likelihood estimation) |
| 92 | +84(L3 Office Hours) |
| 93 | +85(L2 Coverage of client side dynamic components) |
| 94 | +86(L2 Usage of different roles) |
| 95 | +87(L2 Simple Scan) |
| 96 | +88(L3 Coverage of hidden endpoints) |
| 97 | +89(L3 Coverage of more input vectors) |
| 98 | +90(L3 Coverage of sequential operations) |
| 99 | +91(L4 Usage of multiple scanners) |
| 100 | +92(L5 Coverage of service to service communication) |
| 101 | +93(L2 Test for exposed services) |
| 102 | +94(L2 Isolated networks for virtual environments) |
| 103 | +95(L2 Test network segmentation) |
| 104 | +96(L3 Test for unauthorized installation) |
| 105 | +97(L2 Evaluation of the trust of used components) |
| 106 | +98(L2 Software Composition Analysis server side) |
| 107 | +99(L2 Test for Time to Patch) |
| 108 | +100(L2 Test libyear) |
| 109 | +101(L3 API design validation) |
| 110 | +102(L3 Software Composition Analysis client side) |
| 111 | +103(L3 Static analysis for important client side components) |
| 112 | +104(L3 Static analysis for important server side components) |
| 113 | +105(L3 Test for Patch Deployment Time) |
| 114 | +106(L4 Static analysis for all self written components) |
| 115 | +107(L4 Usage of multiple analyzers) |
| 116 | +108(L5 Dead code elimination) |
| 117 | +109(L5 Exclusion of source code duplicates) |
| 118 | +110(L5 Static analysis for all components/libraries) |
| 119 | +111(L4 Correlate known vulnerabilities in infrastructure with new image versions) |
| 120 | +112(L2 Usage of a maximum lifetime for images) |
| 121 | +113(L4 Test of infrastructure components for known vulnerabilities) |
| 122 | +
|
| 123 | +
|
| 124 | +1 --> 0 |
| 125 | +1 --> 2 |
| 126 | +1 --> 3 |
| 127 | +1 --> 4 |
| 128 | +1 --> 5 |
| 129 | +1 --> 12 |
| 130 | +1 --> 48 |
| 131 | +1 --> 49 |
| 132 | +1 --> 87 |
| 133 | +1 --> 98 |
| 134 | +1 --> 100 |
| 135 | +1 --> 102 |
| 136 | +1 --> 103 |
| 137 | +1 --> 104 |
| 138 | +1 --> 105 |
| 139 | +1 --> 108 |
| 140 | +1 --> 109 |
| 141 | +0 --> 4 |
| 142 | +5 --> 6 |
| 143 | +5 --> 7 |
| 144 | +5 --> 11 |
| 145 | +5 --> 32 |
| 146 | +5 --> 37 |
| 147 | +5 --> 38 |
| 148 | +5 --> 41 |
| 149 | +5 --> 48 |
| 150 | +5 --> 52 |
| 151 | +5 --> 15 |
| 152 | +6 --> 7 |
| 153 | +6 --> 26 |
| 154 | +6 --> 80 |
| 155 | +6 --> 98 |
| 156 | +6 --> 101 |
| 157 | +6 --> 102 |
| 158 | +6 --> 103 |
| 159 | +6 --> 104 |
| 160 | +6 --> 106 |
| 161 | +6 --> 110 |
| 162 | +9 --> 8 |
| 163 | +7 --> 10 |
| 164 | +2 --> 10 |
| 165 | +12 --> 13 |
| 166 | +15 --> 14 |
| 167 | +17 --> 16 |
| 168 | +17 --> 74 |
| 169 | +17 --> 77 |
| 170 | +17 --> 99 |
| 171 | +17 --> 105 |
| 172 | +16 --> 18 |
| 173 | +20 --> 19 |
| 174 | +20 --> 21 |
| 175 | +20 --> 22 |
| 176 | +21 --> 19 |
| 177 | +21 --> 22 |
| 178 | +19 --> 23 |
| 179 | +25 --> 24 |
| 180 | +25 --> 76 |
| 181 | +28 --> 27 |
| 182 | +27 --> 29 |
| 183 | +29 --> 30 |
| 184 | +30 --> 31 |
| 185 | +34 --> 33 |
| 186 | +34 --> 35 |
| 187 | +34 --> 36 |
| 188 | +40 --> 39 |
| 189 | +43 --> 42 |
| 190 | +45 --> 44 |
| 191 | +45 --> 52 |
| 192 | +47 --> 46 |
| 193 | +51 --> 50 |
| 194 | +50 --> 53 |
| 195 | +53 --> 54 |
| 196 | +56 --> 55 |
| 197 | +56 --> 59 |
| 198 | +56 --> 66 |
| 199 | +58 --> 57 |
| 200 | +55 --> 57 |
| 201 | +57 --> 59 |
| 202 | +60 --> 56 |
| 203 | +60 --> 64 |
| 204 | +60 --> 47 |
| 205 | +60 --> 65 |
| 206 | +60 --> 67 |
| 207 | +60 --> 68 |
| 208 | +60 --> 69 |
| 209 | +62 --> 61 |
| 210 | +62 --> 60 |
| 211 | +62 --> 64 |
| 212 | +62 --> 67 |
| 213 | +63 --> 61 |
| 214 | +63 --> 60 |
| 215 | +70 --> 69 |
| 216 | +72 --> 71 |
| 217 | +72 --> 73 |
| 218 | +76 --> 75 |
| 219 | +76 --> 82 |
| 220 | +74 --> 77 |
| 221 | +79 --> 78 |
| 222 | +81 --> 80 |
| 223 | +78 --> 82 |
| 224 | +83 --> 76 |
| 225 | +83 --> 102 |
| 226 | +84 --> 76 |
| 227 | +86 --> 85 |
| 228 | +86 --> 88 |
| 229 | +86 --> 89 |
| 230 | +86 --> 90 |
| 231 | +86 --> 91 |
| 232 | +87 --> 86 |
| 233 | +87 --> 92 |
| 234 | +94 --> 93 |
| 235 | +94 --> 95 |
| 236 | +97 --> 96 |
| 237 | +98 --> 83 |
| 238 | +98 --> 107 |
| 239 | +103 --> 106 |
| 240 | +103 --> 110 |
| 241 | +104 --> 106 |
| 242 | +104 --> 110 |
| 243 | +102 --> 107 |
| 244 | +106 --> 107 |
| 245 | +112 --> 111 |
| 246 | +112 --> 113 |
| 247 | +
|
| 248 | +O --> 1 |
| 249 | +O --> 9 |
| 250 | +O --> 17 |
| 251 | +O --> 20 |
| 252 | +O --> 25 |
| 253 | +O --> 28 |
| 254 | +O --> 34 |
| 255 | +O --> 40 |
| 256 | +O --> 43 |
| 257 | +O --> 45 |
| 258 | +O --> 51 |
| 259 | +O --> 58 |
| 260 | +O --> 62 |
| 261 | +O --> 63 |
| 262 | +O --> 70 |
| 263 | +O --> 72 |
| 264 | +O --> 79 |
| 265 | +O --> 81 |
| 266 | +O --> 84 |
| 267 | +O --> 94 |
| 268 | +O --> 97 |
| 269 | +O --> 112 |
| 270 | +``` |
0 commit comments