forked from DinisCruz/BSIMM-Graphs-Data
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathschema.json
210 lines (157 loc) · 19.8 KB
/
schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
{
"config": {
"schema" : "bsimm",
"version": "9"
},
"metadata": [
"team",
"security-champion",
"source-code-repo",
"issue-tracking",
"wiki",
"ci-server",
"created-by",
"hide-from-stats"
],
"domains":
{
"Governance" : { "practices": ["Strategy & Metrics" , "Compliance & Policy" , "Training" ]},
"Intelligence" : { "practices": ["Attack Models" , "Security Features & Design" , "Standards & Requirements" ]},
"SSDL Touchpoints" : { "practices": ["Architecture Analysis" , "Code Review" , "Security Testing" ]},
"Deployment" : { "practices": ["Penetration Testing" , "Software Environment" , "Configuration Management & Vulnerability Management" ]}
},
"practices":
{
"Strategy & Metrics" : { "key": "SM" , "activities": [ "SM.1.1" , "SM.1.2" , "SM.1.3" , "SM.1.4" , "SM.2.1" , "SM.2.2" , "SM.2.3" , "SM.2.6" , "SM.3.1", "SM.3.2" , "SM.3.3" ]},
"Compliance & Policy" : { "key": "CP" , "activities": [ "CP.1.1" , "CP.1.2" , "CP.1.3" , "CP.2.1" , "CP.2.2" , "CP.2.3" , "CP.2.4" , "CP.2.5" , "CP.3.1" , "CP.3.2", "CP.3.3" ]},
"Training" : { "key": "T" , "activities": [ "T.1.1" , "T.1.5" , "T.1.6" , "T.1.7" , "T.2.5" , "T.2.6" , "T.3.1" , "T.3.2" , "T.3.3" , "T.3.4" , "T.3.5" , "T.3.6" ]},
"Attack Models" : { "key": "AM" , "activities": [ "AM.1.2" , "AM.1.3" , "AM.1.5" , "AM.2.1" , "AM.2.2" , "AM.2.5" , "AM.2.6" , "AM.2.7" , "AM.3.1" , "AM.3.2" ]},
"Security Features & Design" : { "key": "SFD" , "activities": [ "SFD.1.1" , "SFD.1.2" , "SFD.2.1" , "SFD.2.2" , "SFD.3.1" , "SFD.3.2" , "SFD.3.3" ]},
"Standards & Requirements" : { "key": "SR" , "activities": [ "SR.1.1" , "SR.1.2" , "SR.1.3" , "SR.2.2" , "SR.2.3" , "SR.2.4" , "SR.2.5" , "SR.3.1" , "SR.3.2" , "SR.3.3" ]},
"Architecture Analysis" : { "key": "AA" , "activities": [ "AA.1.1" , "AA.1.2" , "AA.1.3" , "AA.1.4" , "AA.2.1" , "AA.2.2" , "AA.3.1" , "AA.3.2" , "AA.3.3" ]},
"Code Review" : { "key": "CR" , "activities": [ "CR.1.2" , "CR.1.4" , "CR.1.5" , "CR.1.6" , "CR.2.5" , "CR.2.6" , "CR.2.7" , "CR.3.2" , "CR.3.3", "CR.3.4" , "CR.3.5" ]},
"Security Testing" : { "key": "ST" , "activities": [ "ST.1.1" , "ST.1.3" , "ST.2.1" , "ST.2.4" , "ST.2.5" , "ST.2.6" , "ST.3.3" , "ST.3.4" , "ST.3.5" ]},
"Penetration Testing" : { "key": "PT" , "activities": [ "PT.1.1" , "PT.1.2" , "PT.1.3" , "PT.2.2" , "PT.2.3" , "PT.3.1" , "PT.3.2" ]},
"Software Environment" : { "key": "SE" , "activities": [ "SE.1.1" , "SE.1.2" , "SE.2.2" , "SE.2.4" , "SE.3.2" , "SE.3.3" , "SE.3.4" , "SE.3.5" , "SE.3.6" , "SE.3.7" ]},
"Configuration Management & Vulnerability Management" : { "key": "CMVM" , "activities": [ "CMVM.1.1", "CMVM.1.2", "CMVM.2.1", "CMVM.2.2", "CMVM.2.3", "CMVM.3.1", "CMVM.3.2", "CMVM.3.3", "CMVM.3.4" ]}
},
"activities":
{
"SM.1.1" :{ "level" :"1", "name" : "Publish process (roles, responsibilities, plan), evolve as necessary" },
"SM.1.2" :{ "level" :"1", "name" : "Create evangelism role and perform internal marketing" },
"SM.1.3" :{ "level" :"1", "name" : "Educate executives" },
"SM.1.4" :{ "level" :"1", "name" : "Identify gate locations, gather necessary artifacts" },
"SM.2.1" :{ "level" :"2", "name" : "Publish data about software security internally" },
"SM.2.2" :{ "level" :"2", "name" : "Enforce gates with measurements and track exceptions" },
"SM.2.3" :{ "level" :"2", "name" : "Create or grow a satellite" },
"SM.2.6" :{ "level" :"2", "name" : "Require security sign-off" },
"SM.3.1" :{ "level" :"3", "name" : "Use an internal tracking application with portfolio view" },
"SM.3.2" :{ "level" :"3", "name" : "Run an external marketing program" },
"SM.3.3" :{ "level" :"3", "name" : "Identify metrics and use them to drive budgets." },
"CP.1.1" :{ "level" :"1", "name" : "Unify regulatory pressures" },
"CP.1.2" :{ "level" :"1", "name" : "Identify PII obligations" },
"CP.1.3" :{ "level" :"1", "name" : "Create policy" },
"CP.2.1" :{ "level" :"2", "name" : "Identify PII data inventory" },
"CP.2.2" :{ "level" :"2", "name" : "Require security sign-off for compliance-related risk" },
"CP.2.3" :{ "level" :"2", "name" : "Implement and track controls for compliance" },
"CP.2.4" :{ "level" :"2", "name" : "Paper all vendor contracts with software security SLAs" },
"CP.2.5" :{ "level" :"2", "name" : "Ensure executive awareness of compliance and privacy obligations" },
"CP.3.1" :{ "level" :"3", "name" : "Create regulator eye-candy" },
"CP.3.2" :{ "level" :"3", "name" : "Impose policy on vendors" },
"CP.3.3" :{ "level" :"3", "name" : "Drive feedback from SSDL data back to policy" },
"T.1.1" :{ "level" :"1", "name" : "Provide awareness training" },
"T.1.5" :{ "level" :"1", "name" : "Deliver role-specific advanced curriculum (tools, technology stacks, bug parade)" },
"T.1.6" :{ "level" :"1", "name" : "Create and use material specific to company history" },
"T.1.7" :{ "level" :"1", "name" : "Deliver on-demand individual training" },
"T.2.5" :{ "level" :"2", "name" : "Enhance satellite through training and events" },
"T.2.6" :{ "level" :"2", "name" : "Include security resources in onboarding" },
"T.3.1" :{ "level" :"3", "name" : "Reward progression through curriculum (certification or HR)" },
"T.3.2" :{ "level" :"3", "name" : "Provide training for vendors or outsourced workers" },
"T.3.3" :{ "level" :"3", "name" : "Host external software security events" },
"T.3.4" :{ "level" :"3", "name" : "Require an annual refresher" },
"T.3.5" :{ "level" :"3", "name" : "Establish SSG office hours" },
"T.3.6" :{ "level" :"3", "name" : "Identify a satellite through training." },
"AM.1.2" :{ "level" :"1", "name" : "Create a data classification scheme and inventory" },
"AM.1.3" :{ "level" :"1", "name" : "Identify potential attackers" },
"AM.1.5" :{ "level" :"1", "name" : "Gather and use attack intelligence" },
"AM.2.1" :{ "level" :"2", "name" : "Build attack patterns and abuse cases tied to potential attackers" },
"AM.2.2" :{ "level" :"2", "name" : "Create technology-specific attack patterns" },
"AM.2.5" :{ "level" :"2", "name" : "Build and maintain a top N possible attacks list." },
"AM.2.6" :{ "level" :"2", "name" : "Collect and publish attack stories." },
"AM.2.7" :{ "level" :"2", "name" : "Build an internal forum to discuss attacks." },
"AM.3.1" :{ "level" :"3", "name" : "Have a science team that develops new attack methods" },
"AM.3.2" :{ "level" :"3", "name" : "Create and use automation to do what attackers will do" },
"SFD.1.1" :{ "level" :"1", "name" : "Build and publish security features" },
"SFD.1.2" :{ "level" :"1", "name" : "Engage SSG with architecture" },
"SFD.2.1" :{ "level" :"2", "name" : "Build secure-by-design middleware frameworks and common libraries" },
"SFD.2.2" :{ "level" :"2", "name" : "Create SSG capability to solve difficult design problems" },
"SFD.3.1" :{ "level" :"3", "name" : "Form a review board or central committee to approve and maintain secure design patterns" },
"SFD.3.2" :{ "level" :"3", "name" : "Require use of approved security features and frameworks" },
"SFD.3.3" :{ "level" :"3", "name" : "Find and publish mature design patterns from the organization" },
"SR.1.1" :{ "level" :"1", "name" : "Create security standards" },
"SR.1.2" :{ "level" :"1", "name" : "Create a security portal" },
"SR.1.3" :{ "level" :"1", "name" : "Translate compliance constraints to requirements" },
"SR.2.2" :{ "level" :"2", "name" : "Create a standards review board" },
"SR.2.3" :{ "level" :"2", "name" : "Create standards for technology stacks" },
"SR.2.4" :{ "level" :"2", "name" : "Identify open source" },
"SR.2.5" :{ "level" :"2", "name" : "Create SLA boilerplate" },
"SR.3.1" :{ "level" :"3", "name" : "Control open source risk" },
"SR.3.2" :{ "level" :"3", "name" : "Communicate standards to vendors" },
"SR.3.3" :{ "level" :"3", "name" : "Use secure coding standards." },
"AA.1.1" :{ "level" :"1", "name" : "Perform security feature review" },
"AA.1.2" :{ "level" :"1", "name" : "Perform design review for high-risk applications" },
"AA.1.3" :{ "level" :"1", "name" : "Have SSG lead design review efforts" },
"AA.1.4" :{ "level" :"1", "name" : "Use a risk questionnaire to rank applications" },
"AA.2.1" :{ "level" :"2", "name" : "Define and use AA process" },
"AA.2.2" :{ "level" :"2", "name" : "Standardize architectural descriptions (including data flow)" },
"AA.3.1" :{ "level" :"3", "name" : "Have software architects lead design review efforts" },
"AA.3.2" :{ "level" :"3", "name" : "Drive analysis results into standard architecture patterns" },
"AA.3.3" :{ "level" :"3", "name" : "Use secure coding standards." },
"CR.1.2" :{ "level" :"1", "name" : "Have SSG perform ad hoc review" },
"CR.1.4" :{ "level" :"1", "name" : "Use automated tools along with manual review" },
"CR.1.5" :{ "level" :"1", "name" : "Make code review mandatory for all projects" },
"CR.1.6" :{ "level" :"1", "name" : "Use centralized reporting to close the knowledge loop and drive training" },
"CR.2.5" :{ "level" :"2", "name" : "Assign tool mentors" },
"CR.2.6" :{ "level" :"2", "name" : "Use automated tools with tailored rules" },
"CR.2.7" :{ "level" :"2", "name" : "Use a top N bugs list (real data preferred)." },
"CR.3.2" :{ "level" :"3", "name" : "Build a factory" },
"CR.3.3" :{ "level" :"3", "name" : "Build a capability for eradicating specific bugs from the entire codebase" },
"CR.3.4" :{ "level" :"3", "name" : "Automate malicious code detection" },
"CR.3.5" :{ "level" :"3", "name" : "Enforce coding standards." },
"ST.1.1" :{ "level" :"1", "name" : "Ensure QA supports edge/boundary value condition testing" },
"ST.1.3" :{ "level" :"1", "name" : "Drive tests with security requirements and security features" },
"ST.2.1" :{ "level" :"2", "name" : "Integrate black box security tools into the QA process" },
"ST.2.4" :{ "level" :"2", "name" : "Share security results with QA" },
"ST.2.5" :{ "level" :"2", "name" : "Include security tests in QA automation" },
"ST.2.6" :{ "level" :"2", "name" : "Perform fuzz testing customized to application APIs" },
"ST.3.3" :{ "level" :"3", "name" : "Drive tests with risk analysis results" },
"ST.3.4" :{ "level" :"3", "name" : "Leverage coverage analysis" },
"ST.3.5" :{ "level" :"3", "name" : "Begin to build and apply adversarial security tests (abuse cases)" },
"PT.1.1" :{ "level" :"1", "name" : "Use external penetration testers to find problems" },
"PT.1.2" :{ "level" :"1", "name" : "Feed results to the defect management and mitigation system" },
"PT.1.3" :{ "level" :"1", "name" : "Use penetration testing tools internally" },
"PT.2.2" :{ "level" :"2", "name" : "Provide penetration testers with all available information" },
"PT.2.3" :{ "level" :"2", "name" : "Schedule periodic penetration tests for application coverage" },
"PT.3.1" :{ "level" :"3", "name" : "Use external penetration testers to perform deep-dive analysis" },
"PT.3.2" :{ "level" :"3", "name" : "Have the SSG customize penetration testing tools and scripts" },
"SE.1.1" :{ "level" :"1", "name" : "Use application input monitoring" },
"SE.1.2" :{ "level" :"1", "name" : "Ensure host and network security basics are in place" },
"SE.2.2" :{ "level" :"2", "name" : "Publish installation guides" },
"SE.2.4" :{ "level" :"2", "name" : "Use code signing" },
"SE.3.2" :{ "level" :"3", "name" : "Use code protection" },
"SE.3.3" :{ "level" :"3", "name" : "Use application behavior monitoring and diagnostics" },
"SE.3.4" :{ "level" :"3", "name" : "Enforce coding standards." },
"SE.3.5" :{ "level" :"3", "name" : "Use orchestration for containers and virtualized environments." },
"SE.3.6" :{ "level" :"3", "name" : "Enhance application inventory with operations bill of materials." },
"SE.3.7" :{ "level" :"3", "name" : "Ensure cloud security basics." },
"CMVM.1.1" :{ "level" :"1", "name" : "Create or interface with incident response" },
"CMVM.1.2" :{ "level" :"1", "name" : "Identify software defects found in operations monitoring and feed them back to development" },
"CMVM.2.1" :{ "level" :"2", "name" : "Have emergency codebase response" },
"CMVM.2.2" :{ "level" :"2", "name" : "Track software bugs found in operations through the fix process" },
"CMVM.2.3" :{ "level" :"2", "name" : "Develop an operations inventory of applications" },
"CMVM.3.1" :{ "level" :"3", "name" : "Fix all occurrences of software bugs found in operations" },
"CMVM.3.2" :{ "level" :"3", "name" : "Enhance the SSDL to prevent software bugs found in operations" },
"CMVM.3.3" :{ "level" :"3", "name" : "Simulate software crisis" },
"CMVM.3.4" :{ "level" :"3", "name" : "Operate a bug bounty program" }
}
}