🤖 fmt

Author: wurstbrot

src/assets/YAML/generated/generated.yaml

@@ -603,9 +603,9 @@ Build and Deployment:
           tags:
           - threat-modeling
           url: https://github.com/Threagile/threagile
-        don-t-forget-evil-u:
+        don-t-forget-evil-user-stories:
           uuid: bb5b8988-021b-452a-a914-bd36887b6860
-          name: '[Don''t Forget EVIL U'
+          name: Don't Forget EVIL User stories
           tags: []
           url: https://www.owasp.org/index.php/Agile_Software_Development
           description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -1551,6 +1551,19 @@ Build and Deployment:
           - vulnerability
           url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
           description: A catalog of vulnerabilities that have been exploited.
+        owasp-secure-headers:
+          uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+          name: OWASP Secure Headers Project
+          tags:
+          - header
+          - documentation
+          url: https://owasp.org/www-project-secure-headers/
+          description: "The OWASP Secure Headers Project (also called OSHP) describes
+            HTTP response headers that your application can use \nto increase the
+            security of your application. Once set, these HTTP response headers can
+            restrict modern browsers \nfrom running into easily preventable vulnerabilities.
+            The OWASP Secure Headers Project intends to raise awareness\nand use of
+            these headers."
       references:
         samm2:
         - I-SD-1-B
@@ -2633,7 +2646,7 @@ Culture and Organization:
       - Creation of simple abuse stories
       implementation:
       - uuid: bb5b8988-021b-452a-a914-bd36887b6860
-        name: '[Don''t Forget EVIL U'
+        name: Don't Forget EVIL User stories
         tags: []
         url: https://www.owasp.org/index.php/Agile_Software_Development
         description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -2676,7 +2689,7 @@ Culture and Organization:
       level: 3
       implementation:
       - uuid: bb5b8988-021b-452a-a914-bd36887b6860
-        name: '[Don''t Forget EVIL U'
+        name: Don't Forget EVIL User stories
         tags: []
         url: https://www.owasp.org/index.php/Agile_Software_Development
         description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -3027,25 +3040,12 @@ Culture and Organization:
         resources: 1
       usefulness: 4
       level: 2
-      description: "Implement a program where each software development team has a
-        member considered a \u201CSecurity Champion\u201D who is the liaison between
-        Information Security and developers. Depending on the size and structure of
-        the team the \u201CSecurity Champion\u201D may be a software developer, tester,
-        or a product manager. The \u201CSecurity Champion\u201D has a set number of
-        hours per week for Information Security related activities. They participate
-        in periodic briefings to increase awareness and expertise in different security
-        disciplines. \u201CSecurity Champions\u201D have additional training to help
-        develop these roles as Software Security subject-matter experts. You may need
-        to customize the way you create and support \u201CSecurity Champions\u201D
-        for cultural reasons.\n\nThe goals of the position are to increase effectiveness
-        and efficiency of application security and compliance and to strengthen the
-        relationship between various teams and Information Security. To achieve these
-        objectives, \u201CSecurity Champions\u201D assist with researching, verifying,
-        and prioritizing security and compliance related software defects. They are
-        involved in all Risk Assessments, Threat Assessments, and Architectural Reviews
-        to help identify opportunities to remediate security defects by making the
-        architecture of the application more resilient and reducing the attack threat
-        surface.\nSource: [OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/)\n"
+      description: |
+        Implement a program where each software development team has a member considered a "Security Champion" who is the liaison between Information Security and developers. Depending on the size and structure of the team the "Security Champion" may be a software developer, tester, or a product manager. The "Security Champion" has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. "Security Champions" have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support "Security Champions" for cultural reasons.
+
+        The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, "Security Champions" assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
+
+        [Source: OWASP SAMM](https://owaspsamm.org/model/governance/education-and-guidance/stream-b/)
       implementation:
       - uuid: c191a515-3c10-4903-a889-70c8021f2ea1
         name: OWASP Security Champions Playbook
@@ -3925,7 +3925,6 @@ Implementation:
         openCRE:
         - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
           Hardening/4cae98c2-4163-44ed-bb88-3c67c569533a
-      comments: ""
       dependsOn:
       - App. Hardening Level 2
       tags:
@@ -3934,6 +3933,69 @@ Implementation:
         Default: false
         B: false
         C: false
+    Containers are running as non-root:
+      uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f
+      risk: |-
+        There are various reasons to run a container as non-root. Samples are listed:
+        ## Container Escape Vectors
+
+        - Root privileges significantly increase the chance of breaking container isolation
+        - Root access can be leveraged to exploit kernel vulnerabilities
+        - Compromised root containers provide attackers with maximum privileges inside the container
+        - Greater potential for escaping container boundaries to the host system
+
+        ## Host System Vulnerabilities
+
+        Root containers can potentially:
+
+        - Mount sensitive host filesystems
+        - Access critical device files
+        - Modify host network settings
+        - Interact with host system processes
+        - Override security controls
+
+        ## Resource Management Issues
+
+        Root privileges may allow containers to:
+
+        - Bypass resource quotas and limits
+        - Modify control group (cgroup) settings
+        - Interfere with other containers' resources
+        - Circumvent memory and CPU restrictions
+
+        Security Boundary Weakening
+
+        - Violates the principle of least privilege
+        - Provides unnecessary elevated permissions
+        - Expands the potential attack surface
+        - Increases the impact of a successful compromise
+      measure: "Containers are running as non-root. This can be enforced in the image
+        itself or during runtime parameters \n(e.g. `podman  run --user [...]`)."
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 2
+      implementation: []
+      references:
+        samm2:
+        - O-EM-1-A
+        iso27001-2017:
+        - Virtual environments are not explicitly covered by ISO 27001 - too specific
+        - 13.1.3
+        iso27001-2022:
+        - Virtual environments are not explicitly covered by ISO 27001 - too specific
+        - 8.22
+        openCRE:
+        - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Application
+          Hardening/a86c1fbc-28fd-4610-89a3-a7f73acfe45f
+      tags:
+      - none
+      teamsImplemented:
+        Default: false
+        B: false
+        C: false
     Contextualized Encoding:
       uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7
       risk: The generation of interpreter directives from user-provided data poses
@@ -3967,6 +4029,72 @@ Implementation:
         Default: false
         B: false
         C: false
+    Secure headers:
+      uuid: 29318d60-18ce-4526-80ea-f5928e49f639
+      risk: |
+        Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.:
+        - Cross-Site Scripting (XSS) due to missing Content Security Policy
+        - Clickjacking attacks due to missing X-Frame-Options
+        - Information disclosure through Server header exposure
+        - SSL/TLS downgrade attacks due to missing HSTS
+        - Cross-site scripting and injection due to missing security headers
+      measure: |
+        Implement and enforce security headers across all applications and services
+
+        Implementation Methods:
+        1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level
+        2. Web Application: Implement in the application middleware
+        3. Service Mesh: Configure at the ingress controller level
+        4. Standard Docker Image: Use secure base images with preset headers
+
+        Remove or Secure:
+        - Server header: Hide server version information
+        - X-Powered-By: Remove technology stack information
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 3
+      implementation:
+      - uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+        name: OWASP Secure Headers Project
+        tags:
+        - header
+        - documentation
+        url: https://owasp.org/www-project-secure-headers/
+        description: "The OWASP Secure Headers Project (also called OSHP) describes
+          HTTP response headers that your application can use \nto increase the security
+          of your application. Once set, these HTTP response headers can restrict
+          modern browsers \nfrom running into easily preventable vulnerabilities.
+          The OWASP Secure Headers Project intends to raise awareness\nand use of
+          these headers."
+      meta:
+        implementationGuide: |
+          Essential headers:
+          - Content-Security-Policy: Define trusted sources for content
+          - Strict-Transport-Security: Enforce HTTPS connections
+          - X-Frame-Options: Prevent clickjacking attacks
+          - X-Content-Type-Options: Prevent MIME-type sniffing
+          - X-XSS-Protection: Enable browser's XSS filtering
+          - Referrer-Policy: Control information in the Referrer header
+      references:
+        samm2:
+        - D-SR-3-A
+        iso27001-2017:
+        - Hardening is not explicitly covered by ISO 27001 - too specific
+        - 13.1.3
+        iso27001-2022:
+        - Hardening is not explicitly covered by ISO 27001 - too specific
+        - 8.22
+        openCRE:
+        - https://www.opencre.org/cre/620-421
+      tags:
+      - none
+      teamsImplemented:
+        Default: false
+        B: false
+        C: false
   Development and Source Control:
     .gitignore:
       uuid: 363a3eea-baf9-4010-88ca-bb8186a2989d
@@ -7354,7 +7482,8 @@ Test and Verification:
     Coverage of client side dynamic components:
       uuid: 9711f871-f79d-4573-8d4f-d2c98fd0d18e
       risk: Parts of the service are not covered during the scan, because JavaScript
-        is not getting executed. Therefore, the co
+        is not getting executed. Therefore, the coverage of client-side dynamic components
+        is limited, leading to potential security risks and undetected vulnerabilities.
       measure: Usage of a spider which executes dynamic content like JavaScript, e.g.
         via Selenium.
       difficultyOfImplementation:
@@ -7736,9 +7865,9 @@ Test and Verification:
           tags:
           - threat-modeling
           url: https://github.com/Threagile/threagile
-        don-t-forget-evil-u:
+        don-t-forget-evil-user-stories:
           uuid: bb5b8988-021b-452a-a914-bd36887b6860
-          name: '[Don''t Forget EVIL U'
+          name: Don't Forget EVIL User stories
           tags: []
           url: https://www.owasp.org/index.php/Agile_Software_Development
           description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -8684,6 +8813,19 @@ Test and Verification:
           - vulnerability
           url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
           description: A catalog of vulnerabilities that have been exploited.
+        owasp-secure-headers:
+          uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+          name: OWASP Secure Headers Project
+          tags:
+          - header
+          - documentation
+          url: https://owasp.org/www-project-secure-headers/
+          description: "The OWASP Secure Headers Project (also called OSHP) describes
+            HTTP response headers that your application can use \nto increase the
+            security of your application. Once set, these HTTP response headers can
+            restrict modern browsers \nfrom running into easily preventable vulnerabilities.
+            The OWASP Secure Headers Project intends to raise awareness\nand use of
+            these headers."
       - argocd:
           uuid: fdb0e7cc-d3dd-4a2b-9f45-7d403001294f
           name: argoCD
@@ -8870,9 +9012,9 @@ Test and Verification:
           tags:
           - threat-modeling
           url: https://github.com/Threagile/threagile
-        don-t-forget-evil-u:
+        don-t-forget-evil-user-stories:
           uuid: bb5b8988-021b-452a-a914-bd36887b6860
-          name: '[Don''t Forget EVIL U'
+          name: Don't Forget EVIL User stories
           tags: []
           url: https://www.owasp.org/index.php/Agile_Software_Development
           description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -9818,6 +9960,19 @@ Test and Verification:
           - vulnerability
           url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
           description: A catalog of vulnerabilities that have been exploited.
+        owasp-secure-headers:
+          uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+          name: OWASP Secure Headers Project
+          tags:
+          - header
+          - documentation
+          url: https://owasp.org/www-project-secure-headers/
+          description: "The OWASP Secure Headers Project (also called OSHP) describes
+            HTTP response headers that your application can use \nto increase the
+            security of your application. Once set, these HTTP response headers can
+            restrict modern browsers \nfrom running into easily preventable vulnerabilities.
+            The OWASP Secure Headers Project intends to raise awareness\nand use of
+            these headers."
       comments: ""
       tags:
       - none
@@ -10638,9 +10793,9 @@ Test and Verification:
           tags:
           - threat-modeling
           url: https://github.com/Threagile/threagile
-        don-t-forget-evil-u:
+        don-t-forget-evil-user-stories:
           uuid: bb5b8988-021b-452a-a914-bd36887b6860
-          name: '[Don''t Forget EVIL U'
+          name: Don't Forget EVIL User stories
           tags: []
           url: https://www.owasp.org/index.php/Agile_Software_Development
           description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -11586,6 +11741,19 @@ Test and Verification:
           - vulnerability
           url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
           description: A catalog of vulnerabilities that have been exploited.
+        owasp-secure-headers:
+          uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+          name: OWASP Secure Headers Project
+          tags:
+          - header
+          - documentation
+          url: https://owasp.org/www-project-secure-headers/
+          description: "The OWASP Secure Headers Project (also called OSHP) describes
+            HTTP response headers that your application can use \nto increase the
+            security of your application. Once set, these HTTP response headers can
+            restrict modern browsers \nfrom running into easily preventable vulnerabilities.
+            The OWASP Secure Headers Project intends to raise awareness\nand use of
+            these headers."
       - uuid: 58ac9dea-b6c7-4698-904e-df89a9451c82
         name: DevSecOps control Pre-commit
         url: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#plan-and-develop
@@ -11919,9 +12087,9 @@ Test and Verification:
           tags:
           - threat-modeling
           url: https://github.com/Threagile/threagile
-        don-t-forget-evil-u:
+        don-t-forget-evil-user-stories:
           uuid: bb5b8988-021b-452a-a914-bd36887b6860
-          name: '[Don''t Forget EVIL U'
+          name: Don't Forget EVIL User stories
           tags: []
           url: https://www.owasp.org/index.php/Agile_Software_Development
           description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)
@@ -12867,6 +13035,19 @@ Test and Verification:
           - vulnerability
           url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
           description: A catalog of vulnerabilities that have been exploited.
+        owasp-secure-headers:
+          uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+          name: OWASP Secure Headers Project
+          tags:
+          - header
+          - documentation
+          url: https://owasp.org/www-project-secure-headers/
+          description: "The OWASP Secure Headers Project (also called OSHP) describes
+            HTTP response headers that your application can use \nto increase the
+            security of your application. Once set, these HTTP response headers can
+            restrict modern browsers \nfrom running into easily preventable vulnerabilities.
+            The OWASP Secure Headers Project intends to raise awareness\nand use of
+            these headers."
       references:
         samm2:
         - V-ST-2-A
@@ -13992,7 +14173,7 @@ Test and Verification:
         time: 3
         resources: 5
       usefulness: 3
-      level: 1
+      level: 3
       implementation: []
       references:
         samm2: