Included feedback from PR #46

Author: vbakke

src/assets/YAML/default/BuildAndDeployment/Deployment.yaml

@@ -70,14 +70,15 @@ Build and Deployment:
     Defined deployment process:
       uuid: 74938a3f-1269-49b9-9d0f-c43a79a1985a
       description: |
-        A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes. This process should include validation, approval, and rollback mechanisms.
+        A defined deployment process is a documented and automated set of steps for releasing software into production. It ensures that deployments are consistent, secure, and auditable, reducing the risk of errors and unauthorized changes.
       risk: >-
         Deployment based human routines are error prone, and of insecure or malfunctioning artifacts.
       measure: >-
-        Defining a deployment process ensures that there are
-        established criteria in terms of functionalities,
-        security, compliance, and performance,
-        and that the artifacts meet them.
+        Defining a deployment process ensures that there are established criteria in terms of functionalities, security, compliance, and performance, and that the artifacts meet them.
+      assessment: |
+        - Deployment process is documented and available to relevant staff
+        - All deployment steps are automated
+        - Provide audit logs or evidence of deployments
       level: 1
       difficultyOfImplementation:
         knowledge: 2
@@ -98,11 +99,6 @@ Build and Deployment:
         iso27001-2022:
           - 5.37
           - 8.32
-      assessment: |
-        - Deployment process is documented and available to relevant staff
-        - All deployment steps are automated
-        - Rollback procedures are defined and tested [Keep??? Delete???]
-        - Provide audit logs or evidence of deployments
       isImplemented: false
       evidence: ""
       comments: ""

src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml

@@ -420,7 +420,8 @@ Culture and Organization:
       measure: |
         Make security consulting available to teams on request, ensuring that expert advice is accessible when needed to address security concerns during development.
       assessment: |
-        Records show that teams have access to security consulting services and have used them when needed. Documentation of consultations and resulting actions is available for review.
+        - Show evidence that an it security expert is available for questions at least quarterly.
+        - Documentation of consultations and resulting actions is available for review.
       difficultyOfImplementation:
         knowledge: 3
         time: 1

src/assets/YAML/default/InformationGathering/Monitoring.yaml

@@ -366,10 +366,9 @@ Information Gathering:
       risk: |
         Without monitoring system metrics, it is difficult to detect incidents or performance issues, leading to delayed response, reduced availability, and increased risk of undetected attacks.
       measure: |
-        Collect and monitor key system metrics, including CPU, memory, and disk usage. Set up alerts for abnormal resource consumption or patterns that may indicate incidents or attacks.
+        Collect and monitor key system metrics, including CPU, memory, and disk usage.
       assessment: |
         - Basic system metrics are monitored and reviewed regularly
-        - Alerting outside given thresholds are implemented
       level: 1
       difficultyOfImplementation:
         knowledge: 2

src/assets/YAML/default/TestAndVerification/Consolidation.yaml

@@ -138,13 +138,13 @@ Test and Verification:
     Simple false positive treatment:
       uuid: c1acc8af-312e-4503-a817-a26220c993a0
       description: |
-        Security tests may produce false positives—findings that are incorrectly identified as vulnerabilities.
+        Security tests may produce false positives (or _"false alarms"_), findings that are incorrectly identified as vulnerabilities.
 
-        It is important distinguish these from true vulnerabilities to avoid wasting time and resources on non-issues.
+        It is important distinguish these from true positive vulnerabilities to avoid wasting time and resources on non-issues.
 
         False positive treatment ensures that findings from security tests are triaged and documented, allowing teams to distinguish between real vulnerabilities and false positives. This reduces unnecessary work and helps maintain focus on true risks.
 
-        Some positive findings might be considered an accepted risk by the organization. This must also be documented.
+        Some positive findings might be considered an _accepted risk_ by the organization. This must also be documented.
       risk: |
         If false positives are not managed, teams may ignore all findings, leading to real vulnerabilities being overlooked and increasing the risk of exploitation. Specially, if tests are automated an run daily.
       measure: |
@@ -278,18 +278,17 @@ Test and Verification:
           - 5.25
       tags: ["vuln-action", "defect-management"]
       comments: ""
-    Treatment of defects with severity high or higher:
+    Treatment of defects with high or critical severity:
       uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
       description: |
         All security problems that are rated as "high" or "critical" must be fixed before the software can be released or used in production. This means that if a serious vulnerability is found, it cannot be ignored or postponed.
       risk: |
         If serious security problems are not fixed, attackers could exploit them to steal data, disrupt services, or cause other harm. Ignoring these issues puts the organization, its customers, and its reputation at risk.
       measure: |
-        - Make it a rule that all high or critical security findings must be fixed before the software is approved for release or use.
+        - Make it a rule that all _high_ or _critical_ security findings must be fixed before the software is approved for release or use.
         - Track these issues and make sure they are resolved quickly.
-        - Pay extra attention to Known Exploited Vulnerabilities (KEV) from CISA and EPSS scores when prioritizing fixes.
       assessment: |
-        There is clear evidence that all high or critical security issues are tracked and fixed before release. No high or critical issues remain open in production systems.
+        - Provide evidence that vulnerabilities are treated within the defined time frame in production. For example via the DSOMM activity [Number of vulnerabilities/severity](./activity-description?uuid=bc548cba-cb82-4f76-bd4b-325d9d256279) or [Patching mean time to resolution via PR](./activity-description?uuid=86d490b9-d798-4a5b-a011-ab9688014c46) with extra deployment statistics.
       comments: False positive analysis, specially for static analysis, is time consuming.
       level: 1
       difficultyOfImplementation:
@@ -307,12 +306,11 @@ Test and Verification:
           - 8.8
           - 5.25
       implementation:
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/cisa-kev
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/trivy
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/grype
       tags: ["vuln-action", "defect-management"]
       evidence: ""
-    Treatment of defects with severity middle:
+    Treatment of defects with medium severity:
       uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594
       risk: Vulnerabilities with severity middle are not visible.
       measure: Vulnerabilities with severity middle are added to the quality gate.

src/assets/YAML/default/TestAndVerification/StaticDepthForApplications.yaml

@@ -322,16 +322,21 @@ Test and Verification:
       comments: ""
     Exploit likelihood estimation:
       uuid: f2f0f274-c1a0-4501-92fe-7fc4452bc8ad
-      risk: |-
+      description: |
+        Severity-based vulnerability triage alone generates a lot false positives, requiring a more refined approach.
+        
+        Use the likelihood of exploitation by using *known exploited vulnerabilities* (CISA KEV), or prediction models such as 
+        *Exploit Prediction Scoring System* (EPSS).
+      risk: |
         Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones.
-      measure: Estimate the likelihood of exploitation by using data (CISA KEV) from the past or prediction models (e.g. Exploit Prediction Scoring System, EPSS).
-      description: Severity-based vulnerability triage alone generates a lot false positives, requiring a more refined approach.
+      measure: |
+        Use CISA KEV and EPSS to prioritize vulnerabilities that are more likely to be exploited.
       difficultyOfImplementation:
         knowledge: 2
         time: 2
         resources: 2
       usefulness: 4
-      level: 3
+      level: 2
       dependsOn:
         - d918cd44-a972-43e9-a974-eff3f4a5dcfe # SCA for server
       implementation: