Skip to content

Review of level 1 activities #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vbakke wants to merge 25 commits into
base: main
Choose a base branch
from
Open

Review of level 1 activities #46

vbakke wants to merge 25 commits into from
+344 −212

Conversation

@vbakke
Copy link
Collaborator

@vbakke vbakke commented Sep 22, 2025
edited
Loading

Added missing descriptions and assessments, on level 1 activities.

Feel free to comment and adjust. I reckon we should aim to avoid repeating the same message in multiple attributes of the same activity. But I might still be doing that. Nice with more sets of eyes to improve...

@vbakke vbakke requested a review from wurstbrot September 22, 2025 15:14
wurstbrot
wurstbrot requested changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@wurstbrot wurstbrot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general.

For the assessment attribute: It was written in a way that users understand what they have to provide in order to get it marked as implemented. I do not enforce that you re-write it, but for you know.

E.g.

The organization has a process for triaging and documenting false positives and accepted risks

could be

Provide a maximum one year old sample of a false positive or accepted finding including the date, description and date and expire date

vbakke
vbakke commented Oct 8, 2025
View reviewed changes
Copy link
Collaborator Author

@vbakke vbakke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for a thorough review.

Looks like I skipped Implementation and Test and Verification. I can try to add them soon.

However, could you please elaborate some on Default settings for intensity? The current text is very short, and I struggle to understand the boundaries for the activity.

wurstbrot
wurstbrot requested changes Oct 13, 2025
View reviewed changes
vbakke and others added 16 commits November 30, 2025 18:12
@vbakke
Renamed Versioning to Version control and added description
04023de
@vbakke
Merge 'main' into 'feat/v4-review-level-1'
b9fbd51
@vbakke
Included feedback from PR devsecopsmaturitymodel#46
1cf5f0f
@vbakke
Renamed Versioning to Version control and added description
3521a80
@vbakke
Merge branch 'feat/v4-review-level-1-implementation' of https://githu…
78700ec 
…b.com/vbakke/DevSecOps-MaturityModel-data into feat/v4-review-level-1-implementation
@vbakke
Merge pull request #1 from vbakke/feat/v4-review-level-1-implementation
37d2269 
Feat/v4 review level 1 implementation
@vbakke
Deployment: Split 'Defined deployment process'
50e8987
@vbakke
Split dependencies between Defined and Automated deploy process
7a29110
@vbakke
Updated with PR feedback
cf9954d
@vbakke
Merge pull request #2 from vbakke/feat/v4-review-level-1-deployment
4d208b2 
Split 'Defined deployment process' into 'Automated deployment process'
@vbakke
Updated external URLs
c37ef59
@vbakke
Updated with feedback from PR
f7f5f16
@vbakke
Merge pull request #4 from vbakke/feat/v4-review-level-1-urlreferences
a5e92d9 
Updated external URLs
@vbakke
Included feedback from PR.
aa7211b 
Added tags (scannig, sca, ...)
@vbakke
Revert wrong delete
f098fbc
@vbakke
Merge branch 'main' into feat/v4-review-level-1
802bb91
vbakke
vbakke commented Dec 21, 2025
View reviewed changes
src/assets/YAML/default/Implementation/InfrastructureHardening.yaml
Simple access control for systems:
uuid: 82e499d1-f463-4a4b-be90-68812a874af6
risk: Attackers a gaining access to internal systems and application interfaces
measure: All internal systems are using simple authentication
Copy link
Collaborator Author

@vbakke vbakke Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wurstbrot : How do you define 'simple access control'?
Or better, can you describe to me what would not classify as simple access control?

This is a basic activity, so I presume it is any basic form for authentication? I.e. that requirering a username and password, or some form of api-key for machine-to-machine communication?

Where do we draw the line?

@vbakke vbakke requested a review from wurstbrot December 21, 2025 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wurstbrot wurstbrot Awaiting requested review from wurstbrot

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vbakke @wurstbrot