feat: enhance descriptions

Author: wurstbrot

src/assets/YAML/default/BuildAndDeployment/Build.yaml

@@ -48,9 +48,7 @@ Build and Deployment:
         A well defined build process lowers the possibility of errors during
         the build process.
       description: |
-        Sample evidence as an attribute in the yaml: The build process is defined in [REPLACE-ME Pipeline](https://replace-me/jenkins/job)
-        in the folder _vars_. Projects are using a _Jenkinsfile_ to use the
-        defined process.
+        A build process can be defined in code, for example in a `Jenkinsfile`.
       difficultyOfImplementation:
         knowledge: 2
         time: 3

src/assets/YAML/default/Implementation/ApplicationHardening.yaml

@@ -49,14 +49,16 @@ Implementation:
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
-      isImplemented: false
       comments: ""
     Contextualized Encoding:
       uuid: e1f37abb-d848-4a3a-b3df-65e91a89dcb7
       risk:
         The generation of interpreter directives from user-provided data poses difficulties and can introduce vulnerabilities to injection attacks.
       measure: |
-        Implementing contextualized encoding, such as employing object-relational mapping tools or utilizing prepared statements, nearly removes the threat of injection vulnerabilities.
+        Implementing contextualized encoding fpr the next interpreter, such as employing object-relational mapping tools 
+        or utilizing prepared statements, nearly removes the threat of injection vulnerabilities.
+        
+        Also take into account a a secure by default UI framework, which performs automatic contextual encoding of outputs with potential malicious user input (e.g. angular).
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -75,6 +77,7 @@ Implementation:
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
+      comments: ""
     App. Hardening Level 1:
       uuid: cf819225-30cb-4702-8e32-60225eedc33d
       risk:
@@ -155,7 +158,6 @@ Implementation:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
       isImplemented: false
-      evidence: ""
       comments: ""
       dependsOn:
         - App. Hardening Level 1
@@ -189,7 +191,6 @@ Implementation:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
       isImplemented: false
-      evidence: ""
       comments: ""
       dependsOn:
         - App. Hardening Level 2 (75%)

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -511,9 +511,11 @@ Implementation:
       risk:
         Evil actors might be able to perform a man in the middle attack and sniff
         confidential information (e.g. authentication factors like passwords)
-      measure:
+      measure: |-
         By using encryption at the edge of traffic in transit, it is impossible
-        or at least harder to sniff credentials being outside of the organization.
+        or at least harder to sniff credentials or information being outside of the organization.
+      
+        Useage of standard protocols like HTTPS is recommended.
       difficultyOfImplementation:
         knowledge: 2
         time: 2

src/assets/YAML/default/InformationGathering/Monitoring.yaml

@@ -291,15 +291,23 @@ Information Gathering:
         iso27001-2022:
           - Not explicitly covered by ISO 27001 - too specific
           - 5.26
-      isImplemented: false
-      evidence: ""
       comments: ""
     Simple application metrics:
       uuid: e9a6d403-a467-445e-b98a-74f0c29da0b1
       risk: Attacks on an application are not recognized.
-      measure:
-        Gathering of application metrics helps to identify incidents like brute
-        force attacks, login/logout.
+      measure: |-
+        Gathering of application metrics helps to identify incidents like brute force attacks, login/logout patterns, and unusual spikes in activity. Key metrics to monitor include:
+          - Authentication attempts (successful/failed logins)
+          - Transaction volumes and patterns (e.g. orders, payments)
+          - API call rates and response times
+          - User session metrics
+          - Resource utilization
+        
+        Example: An e-commerce application normally processes 100 orders per hour. A sudden spike to 1000 orders per hour could indicate either:
+         - A legitimate event (unannounced marketing campaign, viral social media post)
+         - A security incident (automated bulk purchase bots, credential stuffing attack)
+        
+        By monitoring these basic metrics, teams can quickly investigate abnormal patterns and determine if they represent security incidents requiring response.
       difficultyOfImplementation:
         knowledge: 2
         time: 2
@@ -315,8 +323,6 @@ Information Gathering:
           - 12.4.1
         iso27001-2022:
           - 8.15
-      isImplemented: false
-      evidence: ""
       comments: ""
     Simple budget metrics:
       uuid: f08a3219-6941-43ec-8762-4aff739f4664

src/assets/YAML/default/TestAndVerification/Consolidation.yaml

@@ -39,35 +39,6 @@ Test and Verification:
           - 5.13
           - 5.10
       tags: ["vuln-action", "defect-management"]
-    Fix based on severity:
-      uuid: 38d1bd10-7b5f-4ae1-868c-0ec813285425
-      risk: |-
-        Overwhelming volume of security findings from automated testing tools. This might lead to ignorance of findings.
-      measure: |
-       Implement a very simple risk-based prioritization framework for vulnerability remediation based on the severity of the findings.
-       
-       On level one, fix only critical findings.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 2
-        resources: 1
-      usefulness: 3
-      level: 1
-      implementation:
-      references:
-        samm2:
-          - I-DM-3-B
-        iso27001-2017:
-          - 16.1.4
-          - 8.2.1
-          - 8.2.2
-          - 8.2.3
-        iso27001-2022:
-          - 5.25
-          - 5.12
-          - 5.13
-          - 5.10
-      tags: ["vuln-action", "defect-management"]
     Advanced visualization of defects:
       uuid: 7a82020c-94d1-471c-bbd3-5f7fe7df4876
       risk:
@@ -168,11 +139,19 @@ Test and Verification:
       uuid: c1acc8af-312e-4503-a817-a26220c993a0
       risk:
         As false positive occur during each test, all vulnerabilities might be
-        ignored.
-      measure:
-        False positives are suppressed so they will not show up on the next
-        tests again. Most security tools have the possibility to suppress false positives.
-        A Vulnerability Management System might be used.
+        ignored. Specially, if tests are automated an run daily.
+      measure: |-
+        Findings from security tests must be triaged and outcomes persistend/documented to:
+          - Prevent re-analysis of known issues in subsequent test runs
+          - Track accepted risks vs false positives
+          - Enable consistent decision-making across teams
+        
+        At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings.
+        
+        Samples for false positive handling:
+          - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
+          - [Kubescape with VEX](https://kubescape.io/blog/2023/12/07/kubescape-support-for-vex-generation/)
+          - [OWASP DefectDojo Risk Acceptance](https://docs.defectdojo.com/en/working_with_findings/findings_workflows/risk_acceptances/) and [False Positive Handling]
       difficultyOfImplementation:
         knowledge: 1
         time: 1
@@ -248,9 +227,8 @@ Test and Verification:
         iso27001-2022:
           - 8.8
           - 5.25
-      isImplemented: false
-      evidence: ""
-      comments: ""
+      tags: ["vuln-action", "defect-management"]
+      comments: ""#
     Treatment of defects with severity high or higher:
       uuid: 44f2c8a9-4aaa-4c72-942d-63f78b89f385
       risk: Vulnerabilities with severity high or higher are not visible.
@@ -274,7 +252,7 @@ Test and Verification:
           - 8.8
           - 5.25
       implementation: []
-      isImplemented: false
+      tags: ["vuln-action", "defect-management"]
       evidence: ""
     Treatment of defects with severity middle:
       uuid: 9cac3341-fe83-4079-bef2-bfc4279eb594
@@ -297,6 +275,7 @@ Test and Verification:
           - 8.8
           - 5.25
       implementation: []
+      tags: ["vuln-action", "defect-management"]
     Usage of a vulnerability management system:
       uuid: 85ba5623-84be-4219-8892-808837be582d
       risk:

src/assets/YAML/default/TestAndVerification/Test-Intensity.yaml

@@ -70,7 +70,7 @@ Test and Verification:
       risk:
         Time pressure and ignorance might lead to false predictions for the test
         intensity.
-      measure: The intensity of the used tools are not modified to safe time.
+      measure: The intensity of the used tools are not modified to save time.
       difficultyOfImplementation:
         knowledge: 1
         time: 1

src/assets/YAML/schemas/dsomm-schema-implementation.json

@@ -135,11 +135,17 @@
                     "iso27001-2022"
                   ]
                 },
-                "isImplemented": {
-                  "type": "boolean"
+                "teamsImplemented": {
+                  "type": "array",
+                  "items": {
+                    "type": "object"
+                  }
                 },
-                "evidence": {
-                  "type": "string"
+                "teamsEvidence": {
+                  "type": "array",
+                  "items": {
+                    "type": "object"
+                  }
                 },
                 "comments": {
                   "type": "string"
@@ -155,8 +161,6 @@
                 "level",
                 "implementation",
                 "references",
-                "isImplemented",
-                "evidence",
                 "comments"
               ],
               "additionalProperties": false