DevSecOps-MaturityModel
DevSecOps-MaturityModel copied to clipboard
wurstbrot
Risk catalog
I wish
- risks to be in a vocabulary
Note
- Risks are frequently reused, having a "vocabulary" it would make easier to manage them
- A vocabulary can be easily implemented using yaml anchors, which are resolved automatically by the yaml parser
Example
It could be something like that, eg. moving Activities under a given activities section, like other yaml formats (eg. openapi) do.
components:
risks:
vulnerable-container: &vulnerable container Vulnerabilities in images of running containers stay for too long and might get exploited.
unpatched-os: &unpatched-os The operating system is not patched
activities:
Usage of a maximum lifetime for images:
risks:
- *vulnerable-container
- *unpatched-os
Do you have a suggestion of how to implement this feature in the proposed markdown version? https://github.com/wurstbrot/DevSecOps-MaturityModel/issues/38
@ioggstream Do you think it makes sence to implement the proposed structure from https://github.com/wurstbrot/DevSecOps-MaturityModel/issues/35#issuecomment-772606905 before we implement the placeholder (named vocabulary by you)? Folder structure:
data
<dimension>
<maturity level>
fileX.yaml
fileY.yaml
I feel that to implement the new structure can be coded while the placeholders are a manual effort. After the placeholders are there, the manual effort to implement the proposed structure would be more
Note to self: this model seems to conflate risk and threats, probably giving for granted the risk assessment. This conflating can be justified because we are interested in how much an action mitigates a given threat.
@wurstbrot We could just reference a threat / risk taxonomy and generate risk description from there.