-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathschema.json
206 lines (153 loc) · 19.3 KB
/
schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
{
"config": {
"schema" : "bsimm",
"version": "6"
},
"metadata": [
"team",
"security-champion",
"source-code-repo",
"issue-tracking",
"wiki",
"ci-server",
"created-by",
"hide-from-stats"
],
"domains":
{
"Governance" : { "practices": ["Strategy & Metrics" , "Compliance & Policy" , "Training" ]},
"Intelligence" : { "practices": ["Attack Models" , "Security Features & Design" , "Standards & Requirements" ]},
"SSDL Touchpoints" : { "practices": ["Architecture Analysis" , "Code Review" , "Security Testing" ]},
"Deployment" : { "practices": ["Penetration Testing" , "Software Environment" , "Configuration Management & Vulnerability Management" ]}
},
"practices":
{
"Strategy & Metrics" : { "key": "SM" , "activities": [ "SM.1.1" , "SM.1.2" , "SM.1.3" , "SM.1.4" , "SM.2.1" , "SM.2.2" , "SM.2.3" , "SM.2.5" , "SM.2.6" , "SM.3.1", "SM.3.2" ]},
"Compliance & Policy" : { "key": "CP" , "activities": [ "CP.1.1" , "CP.1.2" , "CP.1.3" , "CP.2.1" , "CP.2.2" , "CP.2.3" , "CP.2.4" , "CP.2.5" , "CP.3.1" , "CP.3.2", "CP.3.3" ]},
"Training" : { "key": "T" , "activities": [ "T.1.1" , "T.1.5" , "T.1.6" , "T.1.7" , "T.2.5" , "T.2.6" , "T.2.7" , "T.3.1" , "T.3.2" , "T.3.3" , "T.3.4" , "T.3.5" ]},
"Attack Models" : { "key": "AM" , "activities": [ "AM.1.1" , "AM.1.2" , "AM.1.3" , "AM.1.4" , "AM.1.5" , "AM.1.6" , "AM.2.1" , "AM.2.2" , "AM.3.1" , "AM.3.2" ]},
"Security Features & Design" : { "key": "SFD" , "activities": [ "SFD.1.1" , "SFD.1.2" , "SFD.2.1" , "SFD.2.2" , "SFD.3.1" , "SFD.3.2" , "SFD.3.3" ]},
"Standards & Requirements" : { "key": "SR" , "activities": [ "SR.1.1" , "SR.1.2" , "SR.1.3" , "SR.2.2" , "SR.2.3" , "SR.2.4" , "SR.2.5" , "SR.2.6" , "SR.3.1" , "SR.3.2" ]},
"Architecture Analysis" : { "key": "AA" , "activities": [ "AA.1.1" , "AA.1.2" , "AA.1.3" , "AA.1.4" , "AA.2.1" , "AA.2.2" , "AA.2.3" , "AA.3.1" , "AA.3.2" ]},
"Code Review" : { "key": "CR" , "activities": [ "CR.1.1" , "CR.1.2" , "CR.1.4" , "CR.1.5" , "CR.1.6" , "CR.2.2" , "CR.2.5" , "CR.2.6" , "CR.3.2" , "CR.3.3", "CR.3.4" ]},
"Security Testing" : { "key": "ST" , "activities": [ "ST.1.1" , "ST.1.3" , "ST.2.1" , "ST.2.4" , "ST.2.5" , "ST.2.6" , "ST.3.3" , "ST.3.4" , "ST.3.5" ]},
"Penetration Testing" : { "key": "PT" , "activities": [ "PT.1.1" , "PT.1.2" , "PT.1.3" , "PT.2.2" , "PT.2.3" , "PT.3.1" , "PT.3.2" ]},
"Software Environment" : { "key": "SE" , "activities": [ "SE.1.1" , "SE.1.2" , "SE.2.2" , "SE.2.4" , "SE.3.2" , "SE.3.3" ]},
"Configuration Management & Vulnerability Management" : { "key": "CMVM" , "activities": [ "CMVM.1.1", "CMVM.1.2", "CMVM.2.1", "CMVM.2.2", "CMVM.2.3", "CMVM.3.1", "CMVM.3.2", "CMVM.3.3", "CMVM.3.4" ]}
},
"activities":
{
"SM.1.1" :{ "level" :"1", "name" : "Publish process (roles, responsibilities, plan), evolve as necessary" },
"SM.1.2" :{ "level" :"1", "name" : "Create evangelism role and perform internal marketing" },
"SM.1.3" :{ "level" :"1", "name" : "Educate executives" },
"SM.1.4" :{ "level" :"1", "name" : "Identify gate locations, gather necessary artifacts" },
"SM.2.1" :{ "level" :"2", "name" : "Publish data about software security internally" },
"SM.2.2" :{ "level" :"2", "name" : "Enforce gates with measurements and track exceptions" },
"SM.2.3" :{ "level" :"2", "name" : "Create or grow a satellite" },
"SM.2.5" :{ "level" :"2", "name" : "Identify metrics and use them to drive budgets" },
"SM.2.6" :{ "level" :"2", "name" : "Require security sign-off" },
"SM.3.1" :{ "level" :"3", "name" : "Use an internal tracking application with portfolio view" },
"SM.3.2" :{ "level" :"3", "name" : "Run an external marketing program" },
"CP.1.1" :{ "level" :"1", "name" : "Unify regulatory pressures" },
"CP.1.2" :{ "level" :"1", "name" : "Identify PII obligations" },
"CP.1.3" :{ "level" :"1", "name" : "Create policy" },
"CP.2.1" :{ "level" :"2", "name" : "Identify PII data inventory" },
"CP.2.2" :{ "level" :"2", "name" : "Require security sign-off for compliance-related risk" },
"CP.2.3" :{ "level" :"2", "name" : "Implement and track controls for compliance" },
"CP.2.4" :{ "level" :"2", "name" : "Paper all vendor contracts with software security SLAs" },
"CP.2.5" :{ "level" :"2", "name" : "Ensure executive awareness of compliance and privacy obligations" },
"CP.3.1" :{ "level" :"3", "name" : "Create regulator eye-candy" },
"CP.3.2" :{ "level" :"3", "name" : "Impose policy on vendors" },
"CP.3.3" :{ "level" :"3", "name" : "Drive feedback from SSDL data back to policy" },
"T.1.1" :{ "level" :"1", "name" : "Provide awareness training" },
"T.1.5" :{ "level" :"1", "name" : "Deliver role-specific advanced curriculum (tools, technology stacks, bug parade)" },
"T.1.6" :{ "level" :"1", "name" : "Create and use material specific to company history" },
"T.1.7" :{ "level" :"1", "name" : "Deliver on-demand individual training" },
"T.2.5" :{ "level" :"2", "name" : "Enhance satellite through training and events" },
"T.2.6" :{ "level" :"2", "name" : "Include security resources in onboarding" },
"T.2.7" :{ "level" :"2", "name" : "Identify satellite through training" },
"T.3.1" :{ "level" :"3", "name" : "Reward progression through curriculum (certification or HR)" },
"T.3.2" :{ "level" :"3", "name" : "Provide training for vendors or outsourced workers" },
"T.3.3" :{ "level" :"3", "name" : "Host external software security events" },
"T.3.4" :{ "level" :"3", "name" : "Require an annual refresher" },
"T.3.5" :{ "level" :"3", "name" : "Establish SSG office hours" },
"AM.1.1" :{ "level" :"1", "name" : "Build and maintain a top N possible attacks list" },
"AM.1.2" :{ "level" :"1", "name" : "Create a data classification scheme and inventory" },
"AM.1.3" :{ "level" :"1", "name" : "Identify potential attackers" },
"AM.1.4" :{ "level" :"1", "name" : "Collect and publish attack stories" },
"AM.1.5" :{ "level" :"1", "name" : "Gather and use attack intelligence" },
"AM.1.6" :{ "level" :"1", "name" : "Build an internal forum to discuss attacks" },
"AM.2.1" :{ "level" :"2", "name" : "Build attack patterns and abuse cases tied to potential attackers" },
"AM.2.2" :{ "level" :"2", "name" : "Create technology-specific attack patterns" },
"AM.3.1" :{ "level" :"3", "name" : "Have a science team that develops new attack methods" },
"AM.3.2" :{ "level" :"3", "name" : "Create and use automation to do what attackers will do" },
"SFD.1.1" :{ "level" :"1", "name" : "Build and publish security features" },
"SFD.1.2" :{ "level" :"1", "name" : "Engage SSG with architecture" },
"SFD.2.1" :{ "level" :"2", "name" : "Build secure-by-design middleware frameworks and common libraries" },
"SFD.2.2" :{ "level" :"2", "name" : "Create SSG capability to solve difficult design problems" },
"SFD.3.1" :{ "level" :"3", "name" : "Form a review board or central committee to approve and maintain secure design patterns" },
"SFD.3.2" :{ "level" :"3", "name" : "Require use of approved security features and frameworks" },
"SFD.3.3" :{ "level" :"3", "name" : "Find and publish mature design patterns from the organization" },
"SR.1.1" :{ "level" :"1", "name" : "Create security standards" },
"SR.1.2" :{ "level" :"1", "name" : "Create a security portal" },
"SR.1.3" :{ "level" :"1", "name" : "Translate compliance constraints to requirements" },
"SR.2.2" :{ "level" :"2", "name" : "Create a standards review board" },
"SR.2.3" :{ "level" :"2", "name" : "Create standards for technology stacks" },
"SR.2.4" :{ "level" :"2", "name" : "Identify open source" },
"SR.2.5" :{ "level" :"2", "name" : "Create SLA boilerplate" },
"SR.2.6" :{ "level" :"2", "name" : "Use secure coding standards" },
"SR.3.1" :{ "level" :"3", "name" : "Control open source risk" },
"SR.3.2" :{ "level" :"3", "name" : "Communicate standards to vendors" },
"AA.1.1" :{ "level" :"1", "name" : "Perform security feature review" },
"AA.1.2" :{ "level" :"1", "name" : "Perform design review for high-risk applications" },
"AA.1.3" :{ "level" :"1", "name" : "Have SSG lead design review efforts" },
"AA.1.4" :{ "level" :"2", "name" : "Use a risk questionnaire to rank applications" },
"AA.2.1" :{ "level" :"2", "name" : "Define and use AA process" },
"AA.2.2" :{ "level" :"2", "name" : "Standardize architectural descriptions (including data flow)" },
"AA.2.3" :{ "level" :"2", "name" : "Make SSG available as AA resource or mentor" },
"AA.3.1" :{ "level" :"3", "name" : "Have software architects lead design review efforts" },
"AA.3.2" :{ "level" :"3", "name" : "Drive analysis results into standard architecture patterns" },
"CR.1.1" :{ "level" :"1", "name" : "Use a top N bugs list (real data preferred)" },
"CR.1.2" :{ "level" :"1", "name" : "Have SSG perform ad hoc review" },
"CR.1.4" :{ "level" :"1", "name" : "Use automated tools along with manual review" },
"CR.1.5" :{ "level" :"1", "name" : "Make code review mandatory for all projects" },
"CR.1.6" :{ "level" :"1", "name" : "Use centralized reporting to close the knowledge loop and drive training" },
"CR.2.2" :{ "level" :"2", "name" : "Enforce coding standards" },
"CR.2.5" :{ "level" :"2", "name" : "Assign tool mentors" },
"CR.2.6" :{ "level" :"2", "name" : "Use automated tools with tailored rules" },
"CR.3.2" :{ "level" :"3", "name" : "Build a factory" },
"CR.3.3" :{ "level" :"3", "name" : "Build a capability for eradicating specific bugs from the entire codebase" },
"CR.3.4" :{ "level" :"3", "name" : "Automate malicious code detection" },
"ST.1.1" :{ "level" :"1", "name" : "Ensure QA supports edge/boundary value condition testing" },
"ST.1.3" :{ "level" :"1", "name" : "Drive tests with security requirements and security features" },
"ST.2.1" :{ "level" :"2", "name" : "Integrate black box security tools into the QA process" },
"ST.2.4" :{ "level" :"2", "name" : "Share security results with QA" },
"ST.2.5" :{ "level" :"2", "name" : "Include security tests in QA automation" },
"ST.2.6" :{ "level" :"2", "name" : "Perform fuzz testing customized to application APIs" },
"ST.3.3" :{ "level" :"3", "name" : "Drive tests with risk analysis results" },
"ST.3.4" :{ "level" :"3", "name" : "Leverage coverage analysis" },
"ST.3.5" :{ "level" :"3", "name" : "Begin to build and apply adversarial security tests (abuse cases)" },
"PT.1.1" :{ "level" :"1", "name" : "Use external penetration testers to find problems" },
"PT.1.2" :{ "level" :"1", "name" : "Feed results to the defect management and mitigation system" },
"PT.1.3" :{ "level" :"1", "name" : "Use penetration testing tools internally" },
"PT.2.2" :{ "level" :"2", "name" : "Provide penetration testers with all available information" },
"PT.2.3" :{ "level" :"2", "name" : "Schedule periodic penetration tests for application coverage" },
"PT.3.1" :{ "level" :"3", "name" : "Use external penetration testers to perform deep-dive analysis" },
"PT.3.2" :{ "level" :"3", "name" : "Have the SSG customize penetration testing tools and scripts" },
"SE.1.1" :{ "level" :"1", "name" : "Use application input monitoring" },
"SE.1.2" :{ "level" :"1", "name" : "Ensure host and network security basics are in place" },
"SE.2.2" :{ "level" :"2", "name" : "Publish installation guides" },
"SE.2.4" :{ "level" :"2", "name" : "Use code signing" },
"SE.3.2" :{ "level" :"3", "name" : "Use code protection" },
"SE.3.3" :{ "level" :"3", "name" : "Use application behavior monitoring and diagnostics" },
"CMVM.1.1" :{ "level" :"1", "name" : "Create or interface with incident response" },
"CMVM.1.2" :{ "level" :"1", "name" : "Identify software defects found in operations monitoring and feed them back to development" },
"CMVM.2.1" :{ "level" :"2", "name" : "Have emergency codebase response" },
"CMVM.2.2" :{ "level" :"2", "name" : "Track software bugs found in operations through the fix process" },
"CMVM.2.3" :{ "level" :"2", "name" : "Develop an operations inventory of applications" },
"CMVM.3.1" :{ "level" :"3", "name" : "Fix all occurrences of software bugs found in operations" },
"CMVM.3.2" :{ "level" :"3", "name" : "Enhance the SSDL to prevent software bugs found in operations" },
"CMVM.3.3" :{ "level" :"3", "name" : "Simulate software crisis" },
"CMVM.3.4" :{ "level" :"3", "name" : "Operate a bug bounty program" }
}
}