devsecopsmaturitymodel · wurstbrot · Jun 10, 2022 · Jun 10, 2022
diff --git a/data/dimensions-subdimensions-activities/BuildAndDeployment/Build.yaml b/data/dimensions-subdimensions-activities/BuildAndDeployment/Build.yaml
@@ -36,7 +36,7 @@ Build and Deployment:
         a result of incorrect security related configuration.
       measure: A well defined build process lowers the possibility of errors during
         the build process.
-      description-md: |
+      description: |
         Sample evidence as an attribute in the yaml: The build process is defined in <a href="REPLACE-ME">REPLACE-ME Pipeline</a>
         in the folder <i>vars</>. Projects are using a <i>Jenkinsfile</i> to use the
         defined process.

diff --git a/data/dimensions-subdimensions-activities/CultureAndOrganization/Design.yaml b/data/dimensions-subdimensions-activities/CultureAndOrganization/Design.yaml
@@ -12,7 +12,7 @@ Culture and Organization:
         resources: 2
       usefulness: 3
       level: 3
-      md-description: |
+      description: |
       samm2: D-TA-3-B
       iso27001-2017:
       - not explicitly covered by ISO 27001
@@ -38,7 +38,7 @@ Culture and Organization:
       dependsOn:
       - Conduction of simple threat modeling on technical level
       - Creation of threat modeling processes and standards
-      md-description: |
+      description: |
         **Example High Maturity Scenario:**
 
         Based on a detailed threat model defined and updated through code, the team decides the following:
@@ -103,7 +103,7 @@ Culture and Organization:
       - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/threat-modeling-play
       - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/owasp-samm
       - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/threat-matrix-for-storage
-      md-description: |
+      description: |
         # OWASP SAMM Description
         Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
 

diff --git a/data/dimensions-subdimensions-activities/CultureAndOrganization/EducationAndGuidance.yaml b/data/dimensions-subdimensions-activities/CultureAndOrganization/EducationAndGuidance.yaml
@@ -66,7 +66,7 @@ Culture and Organization:
       - G-EG-1-A
       iso27001-2017:
       - 7.2.2
-      md-description: |
+      description: |
         Conduct security awareness training for all roles currently involved in the management, development, testing, or auditing of the software. The goal is to increase the awareness of application security threats and risks, security best practices, and secure software design principles. Develop training internally or procure it externally. Ideally, deliver training in person so participants can have discussions as a team, but Computer-Based Training (CBT) is also an option.
 
         Course content should include a range of topics relevant to application security and privacy, while remaining accessible to a non-technical audience. Suitable concepts are secure design principles including Least Privilege, Defense-in-Depth, Fail Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability. Additionally, the training should include references to any organization-wide standards, policies, and procedures defined to improve application security. The OWASP Top 10 vulnerabilities should be covered at a high level.
@@ -133,7 +133,7 @@ Culture and Organization:
         resources: 1
       usefulness: 4
       level: 2
-      md-description: |
+      description: |
         Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers. Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager. The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. “Security Champions” have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.
 
         The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
@@ -288,7 +288,7 @@ Culture and Organization:
         Participate with your whole team in a simple mob hacking session organized by the Security Champion Guild.
         In the session the guild presents a vulnerable application and together you look at possible exploits.
         Just like in mob programming there is one driver and several navigators.
-      md-description: |
+      description: |
         ### Guidelines for your simple mob hacking session
         - All exploits happen via the user interface.
         - No need for security/hacking tools.
@@ -327,7 +327,7 @@ Culture and Organization:
           - Session management
           - Request throttling
           - :unicorn: (self-developed code, only used in that one software)
-      md-description: |
+      description: |
         ### Benefits
         - New vulnerabilities may be found before reaching production.
         - Old vulnerabilities are found and fixed.

diff --git a/data/dimensions-subdimensions-activities/Implementation/ApplicationHardening.yaml b/data/dimensions-subdimensions-activities/Implementation/ApplicationHardening.yaml
@@ -18,7 +18,7 @@ Implementation:
         resources: 2
       usefulness: 4
       level: 1
-      md-description: |
+      description: |
         To tackle the security of code developed in-house, OWASP offers an extensive collection of [Cheatsheets](https://cheatsheetseries.owasp.org/) demonstrating how to implement features securely. Moreover, the Security Knowledge Framework[1] offers an extensive library of code patterns spanning several programming languages. These patterns can be used to not only jumpstart the development process, but also do so securely.
 
         [...]

diff --git a/data/dimensions-subdimensions-activities/Implementation/DevelopmentAndSourceControl.yaml b/data/dimensions-subdimensions-activities/Implementation/DevelopmentAndSourceControl.yaml
@@ -11,7 +11,7 @@ Implementation:
         resources: 1
       usefulness: 2
       level: 4
-      md-description: |
+      description: |
 
       implementation:
       - $ref: data/dimensions-subdimensions-activities/implementations.yaml#/implementations/stylecop

diff --git a/data/dimensions-subdimensions-activities/InformationGathering/Logging.yaml b/data/dimensions-subdimensions-activities/InformationGathering/Logging.yaml
@@ -57,7 +57,7 @@ Information Gathering:
       - 12.4.1
       - 18.1.1
     Logging of security events:
-      md-description: |
+      description: |
         Implement logging of security relevant events. The following events tend to be security relevant:
           - successful/failed login/logout
           - creation, change, and deletion of users

diff --git a/detail.php b/detail.php
@@ -85,9 +85,9 @@ function printDetail($dimension, $subdimension, $activityName, $dimensions, $rep
   }
 
 
-  if (array_key_exists("md-description", $element) && !empty($element['md-description'])) {
+  if (array_key_exists("description", $element) && !empty($element['description'])) {
     $Parsedown = new Parsedown();
-    echo $Parsedown->text($element['md-description']);
+    echo $Parsedown->text($element['description']);
   }
   if (array_key_exists("implementation", $element) && !empty($element['implementation'])) {
     $implementation = $element['implementation'];