diff --git a/README.md b/README.md
index 102ee85..cd546cb 100644
--- a/README.md
+++ b/README.md
@@ -35,85 +35,85 @@ We use two rating systems: **Priority** indicates the order you should implemen
The developers laptop is where most of the magic happens, but also where most of the problems are introduced. If you want to shift as far left as you can this is where you want to land much of your embedded security.
-| Name | Priority | Description | Difficulty | Maps to security frameworks |
-| :--- | :--- | :--- | :--- | :--- |
-| Secure Code Training | 2 | Developers who receive Secure Code Training are less likely to introduce security bugs, be aware of tooling that can support them, and design systems with security in mind. | Medium |
- CIS8
- APRA234
- NIST 800-53B
- SSDF1.1
|
-| Source Code Versioning | 1 | Version Control Systems introduce peer review processes, an auditable history, and consistent work patterns between software engineers. | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| .gitignore | 1 | .gitignore files help prevent accidental commits of sensitive, debug, or workstation specific data | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| Pre-Commit Hook Scans | 2 | A Pre-Commit Hook for security scans provides timely feedback to engineers and helps to prevent vulnerable code being introduced to a repository | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| IDE plugins | 2 | Most IDE's support the use of third-party plugins, and dev's should implement these tools to highlight security issues as they happen in realtime while they are programming. | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| Local Software Composition Analysis | 1 | Helps you find and fix libraries with known security issues | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Local Static Code Analysis | 2 | Helps you find and fix security vulnerabilities in your source code | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Local Sensitive Data Analysis | 1 | Audits your repository for secrets, credentials, API keys and similar in dev environment. Secrets stored in source code are visible to other people | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Application Baseline | 3 | Create an application baseline | Medium | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| Control | Name | Priority | Description | Difficulty | Maps to security frameworks |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| 1.1 | Secure Code Training | 2 | Developers who receive Secure Code Training are less likely to introduce security bugs, be aware of tooling that can support them, and design systems with security in mind. | Medium | - CIS8
- APRA234
- NIST 800-53B
- SSDF1.1
|
+| 1.2 | Source Code Versioning | 1 | Version Control Systems introduce peer review processes, an auditable history, and consistent work patterns between software engineers. | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 1.3 | .gitignore | 1 | .gitignore files help prevent accidental commits of sensitive, debug, or workstation specific data | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 1.4 | Pre-Commit Hook Scans | 2 | A Pre-Commit Hook for security scans provides timely feedback to engineers and helps to prevent vulnerable code being introduced to a repository | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 1.5 | IDE plugins | 2 | Most IDE's support the use of third-party plugins, and dev's should implement these tools to highlight security issues as they happen in realtime while they are programming. | Easy | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 1.6 | Local Software Composition Analysis | 1 | Helps you find and fix libraries with known security issues | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 1.7 | Local Static Code Analysis | 2 | Helps you find and fix security vulnerabilities in your source code | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 1.8 | Local Sensitive Data Analysis | 1 | Audits your repository for secrets, credentials, API keys and similar in dev environment. Secrets stored in source code are visible to other people | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 1.9 | Application Baseline | 3 | Create an application baseline | Medium | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
Source code management (SCM)
Most companies now store their source code in cloud based repositories like GitHub, Bitbucket or Gitlab. Even if you don't, you will use a centralized place for your software engineers to store their code. Centralization and versioning means that these developers can work together without (mostly) stepping on each others toes. Joe and Molly can both be working on the same component, file or function but their changes won't necessarily break the other ones changes. SCM is also a GREAT place to deploy security functions like server side git hooks and multi-factor authentication for your developers!
-| Name | Priority | Description | Difficulty | Maps to security frameworks |
-| :--- | :--- | :--- | :--- | :--- |
-| Source Code Management | 1 | Use a centralized source code management (SCM) system like Bitbucket, GitHub or Gitlab | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| User Roles | 1 | Create unique user and team roles so that access to source code can be tailored | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| SSH | 2 | Use the SSH protocol to access your repositories instead of HTTPS | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| Multi-Factor Authentication | 1 | Make sure all developers use multi-factor authentication (MFA) when pulling, fetching or pushing code to remote. This is especially important if you use company email as your login for SCM | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| Server side git hook | 3 | Utilize a server side git hook like update or post-receive hook to run automatic scans | Medium | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| Developer Collaboration | 2 | Use collaboration tools to document the changes to a software application | Difficult | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| Pull Requests | 1 | Enforce pull or merge requests so all code is verified by team lead or senior engineer | Easy | - APRA234
- CIS8
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Peer reviews | 1 | Enforce peer reviews by software engineers colleagues to increase code quality and security | Easy built-in | - APRA234
- CIS8
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| Control | Name | Priority | Description | Difficulty | Maps to security frameworks |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| 2.1 | Source Code Management | 1 | Use a centralized source code management (SCM) system like Bitbucket, GitHub or Gitlab | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 2.2 | User Roles | 1 | Create unique user and team roles so that access to source code can be tailored | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 2.3 | SSH | 2 | Use the SSH protocol to access your repositories instead of HTTPS | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 2.4 | Multi-Factor Authentication | 1 | Make sure all developers use multi-factor authentication (MFA) when pulling, fetching or pushing code to remote. This is especially important if you use company email as your login for SCM | Easy | - APRA234
- CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 2.5 | Server side git hook | 3 | Utilize a server side git hook like update or post-receive hook to run automatic scans | Medium | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 2.6 | Developer Collaboration | 2 | Use collaboration tools to document the changes to a software application | Difficult | - APRA234
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 2.6 | Pull Requests | 1 | Enforce pull or merge requests so all code is verified by team lead or senior engineer | Easy | - APRA234
- CIS8
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 2.8 | Peer reviews | 1 | Enforce peer reviews by software engineers colleagues to increase code quality and security | Easy | - APRA234
- CIS8
- ISO27001
- NIST 800-53B
- SSDF1.1
|
CI/CD Pipelines and Automation
Modern web applications are built using modern continuous integration and deployment processes. This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.
-| Name | Priority | Description | Difficulty | Maps to security frameworks |
-| :--- | :--- | :--- | :--- | :--- |
-| CI/CD pipeline | 1 |Implement a CI/CD pipeline | Medium | - APRA234
- CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
-| Application Environments | 2 | Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements | Medium | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
-| Application Data Separation | 3 | Make sure that dev and test environments are **not** using the same data as production. If the use of live data is required then make sure that data is anonymized. | Difficult | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
-| CI/CD Administration | 3 | Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements | Medium | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
-| Credential Store | 1 | Create a secure encrypted place to store senstive credentials like passwords, API keys, etc. | Medium | - APRA234
- CIS8
- ISM GSD
- NIST 800-53.2b
- SSDF1.1
|
-| Centralized Software Composition Analysis | 1 | Scan source code for vulnerable libraries and open source software from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53.2a
- SSDF1.1
|
-| Centralized Static Code Analysis | 2 | Scan source code for vulnerabilities in the source code itself from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53.2b
- SSDF1.1
|
-| Centralized Sensitive Data Analysis | 2 | Scan source code for secrets, credentials, API keys and similar from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| DAST | 3 | Scan running application for vulnerabilities | Medium | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- NIST 800-53B
- SSDF1.1
|
+| Control | Name | Priority | Description | Difficulty | Maps to security frameworks |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| 3.1 | CI/CD pipeline | 1 |Implement a CI/CD pipeline | Medium | - APRA234
- CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
+| 3.2 | Application Environments | 2 | Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements | Medium | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
+| 3.3 | Application Data Separation | 3 | Make sure that dev and test environments are **not** using the same data as production. If the use of live data is required then make sure that data is anonymized. | Difficult | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
+| 3.4 | CI/CD Administration | 3 | Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements | Medium | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
+| 3.5 | Credential Store | 1 | Create a secure encrypted place to store senstive credentials like passwords, API keys, etc. | Medium | - APRA234
- CIS8
- ISM GSD
- NIST 800-53.2b
- SSDF1.1
|
+| 3.6 | Centralized Software Composition Analysis | 1 | Scan source code for vulnerable libraries and open source software from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53.2a
- SSDF1.1
|
+| 3.7 | Centralized Static Code Analysis | 2 | Scan source code for vulnerabilities in the source code itself from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53.2b
- SSDF1.1
|
+| 3.8 | Centralized Sensitive Data Analysis | 2 | Scan source code for secrets, credentials, API keys and similar from within a CD stage | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 3.9 | DAST | 3 | Scan running application for vulnerabilities | Medium | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- NIST 800-53B
- SSDF1.1
|
Deployment
Applications are deployed somewhere whether that's an AWS Lambda, S3 bucket or some old crusty server in the corner of the server room. In any case, DevSecOps best practices mean that you need to include that deployment location in your processes.
-| Name | Priority | Description | Difficulty | Maps to security frameworks |
-| :--- | :--- | :--- | :--- | :--- |
-| Valid SSL Certificate | 1 | Create and use a valid SSL certificate for each application URL, or implement a wildcard cert | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Encrypt Traffic | 1 | Encrypt all traffic that's public facing | Medium | - APRA234
- CIS8
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| Redirect to HTTPS | 1 | Configure web service to redirect all inbound requests to port 80 to the secure HTTPS endpoint | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| HSTS | 1 | Enable HSTS in your webserver, load balancer or CDN | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
-| CSP | 1 | Enable content security policy (CSP) in the webserver, load balancer or CDN | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
|
-| Use Current Software | 1 | Use the most recent versions of application components, languages, frameworks and operating systems | Difficult | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
-| Alternative Deployment | 3 | Have tested and working altnerative way to deploy changes to your applicaiton other than using your standard process with GitHub or Bitbucket in case they go down. This must include the ability to push to PROD from local in emergencies. | Difficult | |
-| security.txt | 1 | Create a security.txt file in the root of your application so people know how to contact you about security issues | Easy | |
-| X-Forwarded-By | 2 | Configure your webservers, load balancers & web proxies to include the X-Forwarded-By: header | Easy | - APRA234 ATM D-2-d-i
- CIS8
- NIST 800
|
-| Logging | 1 | Collect application logs in realtime and send to centralized storage or SIEM | Medium | - CIS8 16.11
- APRA234
- ISM GSM
- NIST 800
- SSDF1.1
|
-| WAF | 2 | Implement a web application firewall (WAF) to protect your application from known attacks | Medium | - APRA234
- CIS8
- NIST 800-53.2a
|
-| CDN | 3 | Use a content delivery network (CDN) whenever possible to add availability and security to you applications | Medium | - APRA234
- CIS8
- ISM GN
- NIST 800-53.2a
|
-| Harden Operating System | 2 | Harden operating system using industry best practices from CIS, ISM, etc | Difficult | - CIS8
- ISM GSM
- ISM GOSH
- SSDF1.1
|
-| Encrypt Storage | 3 | Encrypt all filesystems, disks and cloud storage | Medium | |
-| SBOM | 3 | Generate a **real-time** software bill-of-materials (SBOM) | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| Monitor Application | 1 | Monitor your application in real-time so you know when its state changes for the worse (or better). This includes uptime, performance and security monitoring | Medium | |
+| Control | Name | Priority | Description | Difficulty | Maps to security frameworks |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| 4.1 | Valid SSL Certificate | 1 | Create and use a valid SSL certificate for each application URL, or implement a wildcard cert | Easy | - APRA234
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 4.2 | Encrypt Traffic | 1 | Encrypt all traffic that's public facing | Medium | - APRA234
- CIS8
- CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 4.3 | Redirect to HTTPS | 1 | Configure web service to redirect all inbound requests to port 80 to the secure HTTPS endpoint | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 4.4 | HSTS | 1 | Enable HSTS in your webserver, load balancer or CDN | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
- SSDF1.1
|
+| 4.5 | CSP | 1 | Enable content security policy (CSP) in the webserver, load balancer or CDN | Easy | - CIS8
- ISM GSD
- ISO27001
- NIST 800-53B
|
+| 4.6 | Use Current Software | 1 | Use the most recent versions of application components, languages, frameworks and operating systems | Difficult | - CIS8
- ISM GSD
- ISO27001
- SSDF1.1
|
+| 4.7 | Alternative Deployment | 3 | Have tested and working altnerative way to deploy changes to your applicaiton other than using your standard process with GitHub or Bitbucket in case they go down. This must include the ability to push to PROD from local in emergencies. | Difficult | |
+| 4.8 | security.txt | 1 | Create a security.txt file in the root of your application so people know how to contact you about security issues | Easy | |
+| 4.9 | X-Forwarded-By | 2 | Configure your webservers, load balancers & web proxies to include the X-Forwarded-By: header | Easy | - APRA234 ATM D-2-d-i
- CIS8
- NIST 800
|
+| 4.10 | Logging | 1 | Collect application logs in realtime and send to centralized storage or SIEM | Medium | - CIS8 16.11
- APRA234
- ISM GSM
- NIST 800
- SSDF1.1
|
+| 4.11 | WAF | 2 | Implement a web application firewall (WAF) to protect your application from known attacks | Medium | - APRA234
- CIS8
- NIST 800-53.2a
|
+| 4.12 | CDN | 3 | Use a content delivery network (CDN) whenever possible to add availability and security to you applications | Medium | - APRA234
- CIS8
- ISM GN
- NIST 800-53.2a
|
+| 4.13 | Harden Operating System | 2 | Harden operating system using industry best practices from CIS, ISM, etc | Difficult | - CIS8
- ISM GSM
- ISM GOSH
- SSDF1.1
|
+| 4.14 | Encrypt Storage | 3 | Encrypt all filesystems, disks and cloud storage | Medium | |
+| 4.15 | SBOM | 3 | Generate a **real-time** software bill-of-materials (SBOM) | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 4.16 | Monitor Application | 1 | Monitor your application in real-time so you know when its state changes for the worse (or better). This includes uptime, performance and security monitoring | Medium | |
Organization
People don't deploy applications, organizations do. Some steps in the DevSecOps playbook need to be owned by the Organization itself.
-| Name | Priority | Description | Difficulty | Maps to security frameworks |
-| :--- | :--- | :--- | :--- | :--- |
-| Penetration Testing | 2 | Have your application pentested regularly | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| Threat Modeling | 3 | Build a collaborative way for developers and security staff to understand the threat landscape for an individual application | Difficult | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
-| SIEM | 3 | Implement a SIEM and send all application, system and cloud logs to it | Difficult | |
-| Attack Surface Management | 1 | Identify public facing resources via automation | Easy | - CIS8
- CIS8
- NIST 800-53B
- SSDF1.1
|
-| Sovereignty | 1 | Require that all code is written in, stored in, or otherwise served from a location and/or sovereignty that aligns with orgs requirements | Medium | |
-| Vulnerability Disclosure | 1 | Create and publish a set of procedures to let people contact you when they find security issues in your app | Easy | |
-| Bug Bounty | 3 | Setup a bug bounty program to incentivize security researchers to tell you about vulnerabilities they find | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| Control | Name | Priority | Description | Difficulty | Maps to security frameworks |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| 5.1 | Penetration Testing | 2 | Have your application pentested regularly | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 5.2 | Threat Modeling | 3 | Build a collaborative way for developers and security staff to understand the threat landscape for an individual application | Difficult | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
+| 5.3 | SIEM | 3 | Implement a SIEM and send all application, system and cloud logs to it | Difficult | |
+| 5.4 | Attack Surface Management | 1 | Identify public facing resources via automation | Easy | - CIS8
- CIS8
- NIST 800-53B
- SSDF1.1
|
+| 5.5 | Sovereignty | 1 | Require that all code is written in, stored in, or otherwise served from a location and/or sovereignty that aligns with orgs requirements | Medium | |
+| 5.6 | Vulnerability Disclosure | 1 | Create and publish a set of procedures to let people contact you when they find security issues in your app | Easy | |
+| 5.7 | Bug Bounty | 3 | Setup a bug bounty program to incentivize security researchers to tell you about vulnerabilities they find | Medium | - CIS8
- ISM GSD
- NIST 800-53B
- SSDF1.1
|
![DevSecOps Continuous Improvement](devsecops-controls.jpg)
diff --git a/devsecops-infinity.png b/devsecops-infinity.png
deleted file mode 100644
index 3f0c85e..0000000
Binary files a/devsecops-infinity.png and /dev/null differ
diff --git a/devsecops-loop-securestack-final.png b/devsecops-loop-securestack-final-1280x640.png
similarity index 100%
rename from devsecops-loop-securestack-final.png
rename to devsecops-loop-securestack-final-1280x640.png
diff --git a/devsecops-loop-securestack-final.jpg b/devsecops-loop-securestack-final.jpg
deleted file mode 100644
index 437866c..0000000
Binary files a/devsecops-loop-securestack-final.jpg and /dev/null differ