Comments (12)
Example of current format:
https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/OWASP_ASVS/asvs-4.0.3.cdx.json
Some improvements needed
- remove deleted requirements (number placeholders) from requirement list
- cleanup requirement texts from links like
([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
bom-ref
for requirements (or everything) should contain ASVS version number. Instead of "V1.2.3" it should be "v4.0.3-1.2.3". See: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md#how-to-reference-asvs-requirements
from asvs.
CycloneDX file (JSON) in addition to the existing ASVS-specific JSON, XML, and CSV
Can you please explain, why ASVS should export JSON for CycloneDX instead of CycloneDX importing JSON from ASVS and generate one on the CycloneDX side? The output file is is anyway held on the CycloneDX side, the output format is declared by CycloneDX. For me it feels it should be all done on the CycloneDX side.
from asvs.
CycloneDX file (JSON) in addition to the existing ASVS-specific JSON, XML, and CSV
Can you please explain, why ASVS should export JSON for CycloneDX instead of CycloneDX importing JSON from ASVS and generate one on the CycloneDX side? The output file is is anyway held on the CycloneDX side, the output format is declared by CycloneDX. For me it feels it should be all done on the CycloneDX side.
@elarlang on the one hand, I understand what you are saying and it does feel like it could be generated by CycloneDX from our existing output.
On the other hand, since @stevespringett has created a PR with the code to actually do it, I am inclined to just accept this and move on.
I appreciate that it sets a precedent that anyone can come along and add their own output format but that is a problem we can address if it ever happens :)
I do however want to verify that the code works before I merge the PR so it may be a few days
from asvs.
What is the use-case and problem to solve here? If someone want to get CycloneDX compatible ASVS output - is it easier to just download it from CycloneDX or download ASVS certain version and export it to CycloneDX format?
From ASVS perspective it's extra legacy with format, which is not directly related to ASVS. If there is new version and format of CycloneDX, then what is the scenario? Do we need to have each output (generator) for each version of CycloneDX x each version of ASVS?
I see that we can help with documentation and links, duplicating the same export script to two different projects is just overhead.
from asvs.
Thanks for asking @elarlang. This is forcing me to improve the "elevator pitch". Representing standards and requirements in CycloneDX is a means to an end. The primary use cases for this is for attestations. Currently, a general-purpose machine-readable attestation format does not exist. CycloneDX is creating one. This will open up a ton of new use cases that were not previously possible.
For example, a third-party assessor could provide a CycloneDX attestation document that contains all the claims, evidence, counter evidence, and mitigation strategies for any organization seeking ASVS L2 compliance. The attestations would simply refer to the "official" ASVS standard in this format.
We'll be doing the same with BSIMM, OWASP SAMM, etc. So that when orgs want to have an assessment made, they'll receive a machine-readable attestation document back in which they can consume and trigger workflows, and have greater visibility than they do today using PDFs or spreadsheets.
The standards bodies themselves (OWASP ASVS in this case) would own the creation of their respective standard in a "standardized" machine readable format. Everyone else would simply be the consumer of that file which would then power all these other use cases.
Refer to https://docs.google.com/document/d/1KpbqD2QwSxm0eymvH56DXceqpWDsSPE0iUNBmkzkX6w/edit for more details.
from asvs.
Would a link within https://github.com/OWASP/ASVS/blob/master/5.0/en/0x03-Using-ASVS.md#level-1---first-steps-automated-or-whole-of-portfolio-view be suitable at this point in time similar to the mentions of other OWASP Projects?
from asvs.
Would a link within https://github.com/OWASP/ASVS/blob/master/5.0/en/0x03-Using-ASVS.md#level-1---first-steps-automated-or-whole-of-portfolio-view be suitable at this point in time similar to the mentions of other OWASP Projects?
@cmlh Once CycloneDX v1.6 goes through its formal standardization process and is released, yes, it would be ideal to be mentioned there. At this point in time, its a bit too early.
from asvs.
Is the end game of CycloneDX pivoted to become the central assentation platform for relevant standards @stevespringett?
from asvs.
Is the end game of CycloneDX pivoted to become the central assentation platform for relevant standards @stevespringett?
@cmlh no, its morphing from a BOM standard into a transparency expression language. I'm briefing CISA tomorrow, and as you can see from the deck, the capabilities keep coming, and we have several more on the roadmap.
from asvs.
Thanks for clarification @stevespringett.
Would making this a separate OWASP Project, ASVS-CycloneDX, and then integrating you work as a Git Submodule to ASVS be a reasonable middle ground at this point in time?
from asvs.
Thanks for clarification @stevespringett.
Would making this a separate OWASP Project, ASVS-CycloneDX, and then integrating you work as a Git Submodule to ASVS be a reasonable middle ground at this point in time?
I am not sure we would do that @cmlh as it adds more complexity than I think we want right now
from asvs.
Example of current format: https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/OWASP_ASVS/asvs-4.0.3.cdx.json
Some improvements needed
remove deleted requirements (number placeholders) from requirement list
cleanup requirement texts from links like
([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
bom-ref
for requirements (or everything) should contain ASVS version number. Instead of "V1.2.3" it should be "v4.0.3-1.2.3". See: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md#how-to-reference-asvs-requirements
Hi @elarlang, we don't do this in our current output formats so I don't think we should be too concerned for this format. The json does clearly state the ASVS version at the start.
from asvs.
Related Issues (20)
- Proposal: the application must belong/covered to the HSTS preload list (probably level 3) HOT 45
- Do we want V7.4 to get moved to V10? HOT 3
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) HOT 4
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 4
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 8
- discussion: OAuth - using OAuth just for authentication HOT 6
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 7
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 6
- 4.3.1 and 4.3.3 HOT 6
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.