Merge pull request #163 from owaspsamm/release/v2.1.0

Release/v2.1.0

.github/workflows/release.yml

@@ -29,6 +29,8 @@ jobs:
       - run: tar -cvzf samm.tar.gz images model texts
       - name: Generate Excel spreadsheet from the model
         uses: owaspsamm/toolbox-spreadsheet@main
+        with:
+          version: ${{ env.RELEASE_VERSION }}
       - name: Build Changelog
         id: github_release
         uses: mikepenz/release-changelog-builder-action@v3

.github/workflows/reusable-create-translation-branch.yml

@@ -0,0 +1,37 @@
+name: Create new translation version branch in language repository
+
+on:
+  workflow_call:
+    inputs:
+      source_branch:
+        required: true
+        type: string
+      source_folder:
+        required: true
+        type: string
+      new_branch_name:
+         required: true
+         type: string
+
+jobs:
+  pull_and_create_branch:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout current repo
+        uses: actions/checkout@v3
+      - name: Set up Git with GitHub Actions bot identity
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Pull content from another repository
+        run: |
+          git clone --branch ${{ inputs.source_branch }} --single-branch https://github.com/owaspsamm/core temp-repo
+          rm -rf temp-repo/.git
+          rsync -a --exclude='.git' temp-repo/ .
+      - name: Create a new branch with the pulled content
+        run: |
+          git checkout -b ${{ inputs.new_branch_name }}
+          git add ${{ inputs.source_folder }}
+          git commit -m "Pulled content from ${{ inputs.source_repo }}:${{ inputs.source_branch }}"
+          git push origin ${{ inputs.new_branch_name }}

.github/workflows/reusable-yaml-process.yml

@@ -0,0 +1,44 @@
+name: Reusable workflow to convert yaml files to markdown
+
+on:
+  workflow_call:
+    inputs:
+      language:
+        required: true
+        type: string
+      branch:
+        required: true
+        type: string
+      model_folder:
+        required: true
+        type: string
+jobs:
+  generate-markdown:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout using release is workflow dispatched'
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.branch }}
+      - name: 'Create output dir and copy files to override spaces in directories'
+        run: |
+          mkdir output
+      - name: 'Generate model for website'
+        uses: docker://backnot/owasp-samm-process-yaml-content:latest
+        with:
+          args: '-d ${{ inputs.model_folder }} -o output -l ${{ inputs.language }}'
+      - name: 'Move generated files to common directory structure'
+        run: |
+          mkdir -p build/business-function/practice/stream
+          BASE=output/markdown
+          cp "$BASE"/{Design.md,Governance.md,Implementation.md,Operations.md,Verification.md} build/business-function
+          cp "$BASE"/*-??-?.md build/business-function/practice/stream
+          cp "$BASE"/*-??.md build/business-function/practice
+      - name: Deploy
+        uses: s0/git-publish-subdir-action@develop
+        env:
+          REPO: self
+          BRANCH: markdown
+          FOLDER: build
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SQUASH_HISTORY: false

.github/workflows/yaml-process.yml

@@ -46,7 +46,7 @@ jobs:
         run: |
           mkdir output
       - name: 'Generate model for website'
-        uses: docker://fzipi/owasp-samm-preprocess-yaml:version-0.8.1
+        uses: docker://backnot/owasp-samm-process-yaml-content:latest
         with:
           args: '-d model -o output'
       - name: 'Move generated files to common directory structure'
@@ -66,14 +66,14 @@ jobs:
           SQUASH_HISTORY: true
   # after changing something, we need to trigger the website build
   trigger-website-build:
-    if: github.event.push.tags && github.ref_type == 'tag'
+    if: github.event_name == 'push' && github.ref_type == 'tag'
     runs-on: ubuntu-latest
     needs: generate-markdown
     steps:
       - name: Trigger Website Dispatch
         uses: peter-evans/repository-dispatch@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.OWASP_SAMM_WEBSITE_TOKEN }}
           repository: owaspsamm/website
           event-type: samm-core-released
           client-payload: '{"release": "${{ github.ref_name }}"}'

README.md

@@ -1,6 +1,6 @@
 # OWASP SAMM - Core Model Repository
 
-[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) 
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/#flagship-projects) 
 [![Join the chat at https://owasp.slack.com/archives/C0VF1EJGH](https://img.shields.io/badge/chat-on%20slack-blueviolet)](https://owasp.slack.com/archives/C0VF1EJGH)
 [![Twitter Follow](https://img.shields.io/twitter/follow/owaspsamm?style=social)](https://twitter.com/OwaspSAMM)
 

model/activities/D-TA-1-B.yml

@@ -30,7 +30,7 @@ longDescription: |
 
   Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
 
-  At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always make sure to persist the outcome of a threat modeling discussion for later use.
+  At maturity level 1, you perform threat modeling ad-hoc for high-risk applications and use simple threat checklists, such as STRIDE. Avoid lengthy workshops and overly detailed lists of low-relevant threats. Perform threat modeling iteratively to align to more iterative development paradigms. If you add new functionality to an existing application, look only into the newly added functions instead of trying to cover the entire scope. A good starting point is the existing diagrams that you annotate during discussion workshops. Always persist the outcome of a threat modeling discussion for later use.
 
   Your most important tool to start threat modeling is a whiteboard, smartboard, or a piece of paper. Aim for security awareness, a simple process, and actionable outcomes that you agree upon with your team.
 

model/activities/D-TA-2-B.yml

@@ -31,7 +31,7 @@ longDescription: |
 
   Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate your threat model artifacts. Your threat model diagram allows a detailed understanding of the environment and the mechanics of the application. You discover threats to your application with checklists, such as STRIDE or more organization-specific threats. For identified design flaws (ranked according to risk for your organization), you add mitigating controls to support stakeholders in dealing with particular threats. Define what triggers updating a threat model, for example, a technology change or deployment of an application in a new environment.
 
-  Feed the output of threat modeling to the defect management process for adequate follow-up. Capture the threat modeling artifacts with tools that are used by your application teams.
+  Feed the output of threat modeling to the defect management process for adequate follow-up. Capture the threat modeling artifacts with tools used by your application teams.
 
 #The output of this particular activity
 results:

model/activities/D-TA-3-B.yml

@@ -24,7 +24,7 @@ shortDescription: Continuously optimization and automation of your threat modeli
 
 #A multi-paragraph description of the activity
 longDescription: |
-  Threat modeling is integrated into your SDLC and has become part of the developer security culture.  Reusable risk patterns, comprising of related threat libraries, design flaws, and security mitigations, are created and improved, based on the organization's threat models. You regularly (e.g., yearly) review the existing threat models to verify that no new threats are relevant for your applications.
+  Threat modeling is integrated into your SDLC and has become part of the developer security culture.  Reusable risk patterns, comprising related threat libraries, design flaws, and security mitigations, are created and improved, based on the organization's threat models. You regularly (e.g., yearly) review the existing threat models to verify that no new threats are relevant for your applications.
 
   You optimize your threat modeling methodology. You capture lessons learned from threat models and use these to improve your threat modeling methodology.  You review the threat categories relevant to your organization and update your methodology appropriately. From time to time, you evaluate the quality of your threat models independently.
 

model/activities/G-EG-3-B.yml

@@ -26,7 +26,7 @@ shortDescription: Build a secure software community including all organization p
 longDescription: |
   Security is the responsibility of all employees, not just the Information Security team. Deploy communication and knowledge sharing platforms to help developers build communities around different technologies, tools, and programming languages. In these communities employees share information, discuss challenges with other developers, and search the knowledge base for answers to previously discussed issues.
 
-  Form communities around roles and responsibilities and enable developers and engineers from different teams and business units to communicate freely and benefit from each other's expertise. Encourage participation, set up a program to promote those who help the most people as thought leaders, and have management recognize them. In addition to improving application security, this platform may help identify future members of the Secure Software Center of Excellence, or 'Security Champions' based on their expertise and willingness to help others.
+  Form communities around roles and responsibilities. Enable developers and engineers from different teams and business units to communicate freely so they can benefit from each other's expertise. Encourage participation, set up a program to promote those who help the most people as thought leaders, and have management recognize them. In addition to improving application security, this platform may help identify future members of the Secure Software Center of Excellence, or 'Security Champions' based on their expertise and willingness to help others.
 
   The Secure Software Center of Excellence and Application Security teams review the information portal regularly for insights into the new and upcoming technologies, as well as opportunities to assist the development community with new initiatives, tools, programs, and training resources. Use the portal to disseminate information about new standards, tools, and resources to all developers for the continued improvement of SDLC maturity and application security.
 

model/activities/G-SM-2-A.yml

@@ -25,7 +25,7 @@ shortDescription: Publish a unified strategy for application security.
 longDescription: |
   Based on the magnitude of assets, threats, and risk tolerance, develop a security strategic plan and budget to address business priorities around application security. The plan covers 1 to 3 years and includes milestones consistent with the organization's business drivers and risks. It provides tactical and strategic initiatives and follows a roadmap that makes its alignment with business priorities and needs visible.
 
-  In the roadmap, you reach a balance between changes requiring financial expenditures, changes of processes and procedures, and changes impacting the organization's culture. This balance helps accomplish multiple milestones concurrently and without overloading or exhausting available resources or development teams. The milestones are frequent enough to help monitor program success and trigger timely roadmap adjustments.
+  In the roadmap, reach a balance between changes requiring financial expenditures, changes of processes and procedures, and changes impacting the organization's culture. This balance helps accomplish multiple milestones concurrently and without overloading or exhausting available resources or development teams. The milestones are frequent enough to help monitor program success and trigger timely roadmap adjustments.
 
   For the program to be successful, the application security team obtains buy-in from the organization's stakeholders and application development teams. A published plan is available to anyone who is required to support or participate in its implementation.
 

model/activities/I-SD-1-B.yml

@@ -52,7 +52,7 @@ personnel:
 notes: None
 
 #References to other activities that are prerequisites to implement this one.
-relatedActivites:
+relatedActivities:
 - 994bcac2bb7c4cc59a0faa365a0b58a0   #I-SD-1-A
 
 #Type Classification of the Document

model/activities/I-SD-2-A.yml

@@ -52,7 +52,7 @@ personnel:
 notes: None
 
 #References to other activities that are prerequisites to implement this one.
-relatedActivites:
+relatedActivities:
 - fb6f258a2e424ee9a919341758222a7a   #V-ST-2-A
 
 #Type Classification of the Document

model/activities/O-IM-2-B.yml

@@ -13,7 +13,7 @@ level: 439406325e6645519c149da3e05a7d9d
 id: d6dd8813c5074350b5614b92f2dec60d
 
 #The title of this activity
-title: Define and incident response process
+title: Define an incident response process
 
 #Describe the benefit that is achieved by implementing this activity
 benefit: Understanding and efficient handling of most security incidents

model/activities/O-OM-2-B.yml

@@ -16,7 +16,7 @@ id: 60d7a0a61dd142d5a87009bc5b93df56
 title: Formalize decommissioning process
 
 #Describe the benefit that is achieved by implementing this activity
-benefit: Standardized decommisioning process decreasing the risk of forgetting components
+benefit: Standardized decommissioning process decreasing the risk of forgetting components
 
 #A one sentence description of the activity
 shortDescription: Develop repeatable decommissioning processes for unused systems/services,

model/activities/V-AA-1-B.yml

@@ -42,6 +42,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-AA-2-A.yml

@@ -42,6 +42,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-AA-2-B.yml

@@ -44,6 +44,6 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
 #Type Classification of the Document
 type: Activity

model/activities/V-AA-3-A.yml

@@ -42,6 +42,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-AA-3-B.yml

@@ -20,7 +20,7 @@ benefit: Continuous improvement of enterprise architecture based on architecture
 
 #A one sentence description of the activity
 shortDescription: Feed the architecture review results back into the enterprise architecture,
-  organization design principles & patterns, security solutions and reference architectures.
+  organization design principles and patterns, security solutions and reference architectures.
 
 #A multi-paragraph description of the activity
 longDescription: |
@@ -41,6 +41,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-RT-1-A.yml

@@ -42,7 +42,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
 - 5702908efca4499e87a0239f32920d9b     # Practice D-Security-Requirements
 
 #Type Classification of the Document

model/activities/V-RT-1-B.yml

@@ -42,6 +42,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-RT-2-A.yml

@@ -44,6 +44,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity

model/activities/V-RT-2-B.yml

@@ -42,6 +42,6 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
 #Type Classification of the Document
 type: Activity

model/activities/V-RT-3-A.yml

@@ -25,7 +25,7 @@ shortDescription: Perform regression testing (with security unit tests).
 longDescription: |
   Write and automate regression tests for all identified (and fixed) bugs to ensure that these become a test harness preventing similar issues being introduced during later releases. Security unit tests should verify dynamically (i.e., at run time) that the components function as expected and should validate that code changes are properly implemented.
 
-  A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as Identity, Authentication & Access Control, Input Validation & Encoding, User and Session Management, Error and Exception Handling, Encryption, and Auditing and Logging. Verify the correct execution of the security tests as early as possible. If feasible for example, consider the passing of security tests as part of merge requirements before allowing new code to enter the main code base. Alternatively, consider their passing a requirement for validating a build.
+  A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as Identity, Authentication and Access Control, Input Validation and Encoding, User and Session Management, Error and Exception Handling, Encryption, and Auditing and Logging. Verify the correct execution of the security tests as early as possible. If feasible for example, consider the passing of security tests as part of merge requirements before allowing new code to enter the main code base. Alternatively, consider their passing a requirement for validating a build.
 
   For security functional tests, use unit level tests for the functionality of security controls at the software component level, such as functions, methods, or classes. For example, a test case could check input and output validation (e.g., variable sanitation) and boundary checks for variables by asserting the expected functionality of the component.
 
@@ -44,6 +44,7 @@ personnel:
 notes:
 
 #References to other activities that are prerequisites to implement this one.
-dependencies:
+relatedActivities:
+
 #Type Classification of the Document
 type: Activity