fix: add secure headers and Containers are running as non-root

Author: wurstbrot

src/assets/YAML/default/Implementation/ApplicationHardening.yaml

@@ -222,8 +222,110 @@ Implementation:
         iso27001-2022:
           - Hardening is not explicitly covered by ISO 27001 - too specific
           - 8.22
-      isImplemented: false
-      evidence: ""
-      comments: ""
       dependsOn:
         - App. Hardening Level 2
+    Secure headers:
+      uuid: 29318d60-18ce-4526-80ea-f5928e49f639
+      risk: |
+        Missing or misconfigured security headers can lead to various security vulnerabilities, e.g.:
+        - Cross-Site Scripting (XSS) due to missing Content Security Policy
+        - Clickjacking attacks due to missing X-Frame-Options
+        - Information disclosure through Server header exposure
+        - SSL/TLS downgrade attacks due to missing HSTS
+        - Cross-site scripting and injection due to missing security headers
+      measure: |
+        Implement and enforce security headers across all applications and services
+        
+        Implementation Methods:
+        1. Reverse Proxy/Load Balancer: Configure at nginx/Apache level
+        2. Web Application: Implement in the application middleware
+        3. Service Mesh: Configure at the ingress controller level
+        4. Standard Docker Image: Use secure base images with preset headers
+        
+        Remove or Secure:
+        - Server header: Hide server version information
+        - X-Powered-By: Remove technology stack information
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 1
+        resources: 2
+      usefulness: 4
+      level: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-secure-headers
+      meta:
+        implementationGuide: |
+          Essential headers:
+          - Content-Security-Policy: Define trusted sources for content
+          - Strict-Transport-Security: Enforce HTTPS connections
+          - X-Frame-Options: Prevent clickjacking attacks
+          - X-Content-Type-Options: Prevent MIME-type sniffing
+          - X-XSS-Protection: Enable browser's XSS filtering
+          - Referrer-Policy: Control information in the Referrer header
+      references:
+        samm2:
+          - D-SR-3-A
+        iso27001-2017:
+          - Hardening is not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
+        iso27001-2022:
+          - Hardening is not explicitly covered by ISO 27001 - too specific
+          - 8.22
+        openCRE:
+          - https://www.opencre.org/cre/620-421
+    Containers are running as non-root:
+      uuid: a86c1fbc-28fd-4610-89a3-a7f73acfe45f
+      risk: |-
+        There are various reasons to run a container as non-root. Samples are listed:
+        ## Container Escape Vectors
+
+        - Root privileges significantly increase the chance of breaking container isolation
+        - Root access can be leveraged to exploit kernel vulnerabilities
+        - Compromised root containers provide attackers with maximum privileges inside the container
+        - Greater potential for escaping container boundaries to the host system
+
+        ## Host System Vulnerabilities
+
+        Root containers can potentially:
+
+        - Mount sensitive host filesystems
+        - Access critical device files
+        - Modify host network settings
+        - Interact with host system processes
+        - Override security controls
+
+        ## Resource Management Issues
+
+        Root privileges may allow containers to:
+
+        - Bypass resource quotas and limits
+        - Modify control group (cgroup) settings
+        - Interfere with other containers' resources
+        - Circumvent memory and CPU restrictions
+
+        Security Boundary Weakening
+
+        - Violates the principle of least privilege
+        - Provides unnecessary elevated permissions
+        - Expands the potential attack surface
+        - Increases the impact of a successful compromise
+
+      measure: |-
+        Containers are running as non-root. This can be enforced in the image itself or during runtime parameters 
+        (e.g. `podman  run --user [...]`).
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 2
+        resources: 1
+      usefulness: 3
+      level: 2
+      implementation: []
+      references:
+        samm2:
+          - O-EM-1-A
+        iso27001-2017:
+          - Virtual environments are not explicitly covered by ISO 27001 - too specific
+          - 13.1.3
+        iso27001-2022:
+          - Virtual environments are not explicitly covered by ISO 27001 - too specific
+          - 8.22

src/assets/YAML/default/Implementation/InfrastructureHardening.yaml

@@ -96,8 +96,6 @@ Implementation:
         iso27001-2022:
           - Virtual environments are not explicitly covered by ISO 27001 - too specific
           - 8.22
-      isImplemented: false
-      evidence: ""
       comments: ""
     Backup:
       uuid: 5c61fd6b-8106-4c68-ac28-a8a42f1c67dc

src/assets/YAML/default/implementations.yaml

@@ -975,3 +975,13 @@ implementations:
     url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
     description: |-
       A catalog of vulnerabilities that have been exploited.
+  owasp-secure-headers:
+    uuid: 370b7f35-4da7-4833-89d6-7266b82ea07e
+    name: OWASP Secure Headers Project
+    tags: [header, documentation]
+    url: https://owasp.org/www-project-secure-headers/
+    description: |-
+      The OWASP Secure Headers Project (also called OSHP) describes HTTP response headers that your application can use 
+      to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers 
+      from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness
+      and use of these headers.