Static Depth for Infrastructure from DSOMM framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

Static Depth for Infrastructure

Maturity Level 1

Maturity Level 2

Maturity Level 3

Maturity Level 4

Test for stored secrets

T-SI-1-1: Test for stored secrets

Test for secrets in code, container images and history

Description

Test for secrets in code, container images and history.

Risk:Stored secrets in git history, in container images or directly in code shouldn't exists because they might be exposed to unauthorized parties.

Test cluster deployment resources

T-SI-2-1: Test cluster deployment resources

Test the deployment configuration for virtualized environments for unsecured configurations.

Description

Test the deployment configuration for virtualized environments for unsecured configurations.

Risk:The deployment configuration (e.g. kubernetes deployment resources) might contain unsecured configurations.

Test for image lifetime

T-SI-2-2: Test for image lifetime

Check the image age of containers in production.

Description

Check the image age of containers in production.

Risk:Old container images in production indicate that patch management is not performed and therefore vulnerabilities might exists.

Test of virtualized environments

T-SI-2-3: Test of virtualized environments

Test virtualized environments for unsecured configurations.

Description

Test virtualized environments for unsecured configurations.

Risk:Virtualized environments (e.g. via Container Images) might contains unsecure configurations.

Test the cloud configuration

T-SI-2-4: Test the cloud configuration

With the help of tools, the configuration of virtual environments are tested.

Description

With the help of tools, the configuration of virtual environments are tested.

Risk:Standard hardening practices for cloud environments are not performed leading to vulnerabilities.

Test the definition of virtualized environments

T-SI-2-5: Test the definition of virtualized environments

Test the definition of virtualized environments for unsecured configurations.

Description

Test the definition of virtualized environments for unsecured configurations.

Risk:The definition of virtualized environments (e.g. viaDockerfile) might contain unsecure configurations.

Analyze logs

T-SI-3-1: Analyze logs

Check logs for keywords.

Description

Check logs for keywords.

Risk:Not aware of attacks happening.

Test for malware

T-SI-3-2: Test for malware

Check for malware in components (e.g. container images, VM baseline images, libraries).

Description

Check for malware in components (e.g. container images, VM baseline images, libraries).

Risk:Third party might include malware. Ether due to the maintainer (e.g. typo squatting of an image name and using the wrong image) or by an attacker on behalf of the maintainer with stolen credentials.

Test for new image version

T-SI-3-3: Test for new image version

Check for new images of containers in production.

Description

Check for new images of containers in production.

Risk:When a new version of an image is available, it might fix security vulnerabilities.

Correlate known vulnerabilities in infrastructure with new image versions

T-SI-4-1: Correlate known vulnerabilities in infrastructure with new image versions

TODO

Description

This practice ensures newly deployed container or VM images do not reintroduce or perpetuate known vulnerabilities that exist in the current infrastructure. This process involves cross-referencing existing vulnerability data from infrastructure scans with the components and dependencies in updated images. By continuously correlating known security issues with new image versions, organizations can proactively mitigate risks before deploying potentially vulnerable images to production.

Risk: Failing to correlate known vulnerabilities in infrastructure with new image versions can lead to the unintended deployment of insecure artifacts, which increases the risk of exploitation.

Software Composition Analysis

T-SI-4-2: Test for known vulnerabilities

Known vulnerabilities in infrastructure components like container images might get exploited.

Description

Subscribing to Github projects and reading release notes might help. Software Composition Analysis for infrastructure might help, but is often too fine-granular.

Risk: Known vulnerabilities in infrastructure components like container images might get exploited.

Test of infrastructure components for known vulnerabilities

T-SI-4-3: Test of infrastructure components for known vulnerabilities

Test for known vulnerabilities in infrastructure components. Often, the only way to respond to known vulnerabilities in operating system packages is to accept the risk and wait for a patch. As the patch needs to be applied fast when it is available, this activity depends on 'Usage of a maximum life for images'.