Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a table with links to original and CDXA versions of standards #13

Merged
merged 1 commit into from
Dec 12, 2023
Merged

Add a table with links to original and CDXA versions of standards #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 27 additions & 33 deletions Attestations/en/0x20-Standards.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,32 @@
# Standards
TODO
In CDXA, a "standard" is just a collection of security requirements. Each "standard" has a version number, description, an owner, and a list of requirements. The requirements themselves may be very specific and concrete, best practices, guidance, or even just priniciples. That's up to the standard creator. Many security standards are available in CDXA. You can see a list below.

In CDXA every requirement has:
* Identifier - should tie back to the original standard as much as possible
* Title - a short description
* Text - the actual text of the requirement
* Descriptions - an array of supplental text that provides guidance but is not directly part of the text
* OpenCRE Identifier (where possible)
* Parent (to support a hierarchy of requirements)
* External References

## Creating Your Own Standard
Every system is a beautiful and unique snowflake. It has it's own resources, connections, algorithms, data stores, and security mechanisms. An organization built it and an organization operates it. In short, it has a threat model all its own. That means that it probably has a unique set of security defenses, assurance techniques, and stakeholders.

In CDXA, you're free to create your own security standard. It could be a subset or superset of an existing standard. There are a lot of good reasons to tailor a security standard to your particular system. But remember, you may be required to follow one or more external security standards. As we move into making claims and substantiating those claims in CDXA, you'll see how you can capture your approach to existing requirements to show compliance.

# TODO - add links for CDXA versions of PCI SSS and OWASP SAMM
| Original Standard | CDXA Version |
| --- | --- |
| [NIST Secure Software Development Framework (SSDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) | [CDXA-SSDF](https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/NIST/SSDF/nist_secure-software-development-framework_1.1.cdx.json) |
| [PCI Secure SLC Standard](https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-SLC-Standard-v1_1.pdf) | [CDXA-PCI-SSLC](https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/PCI_Security_Standards_Council/Secure_SLC/pcissc-secure-slc-1.1.cdx.json) |
| [PCI Secure Software Standard](https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-v1_2_1.pdf) | [CDXA-PCI-SSS](http://link.com) |
| [Build Security In Maturity Model (BSIMM)](https://www.synopsys.com/software-integrity/resources/analyst-reports/bsimm.html) | [CDXA-BSIMM](https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/BSIMM/bsimm-v13.cdx.json) |
| [OWASP Application Security Verification Standard (ASVS)](https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf) | [CDXA-OWASP-ASVS](https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/OWASP/ASVS/asvs-4.0.3.cdx.json) |
| [OWASP Mobile Application Security Verification Standard (MASVS)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS.pdf) | [CDXA-OWASP-MASVS](https://github.com/CycloneDX/official-3rd-party-standards/blob/main/standards/OWASP/MASVS/masvs-2.0.0.cdx.json) |
| [OWASP Software Component Verification Standard (SCVS)](https://scvs.owasp.org/scvs/) | [CDXA-OWASP-SCVS](scvs-1.0.0.cdx.json) |
| [OWASP Software Assurance Maturity Model (SAMM)](https://drive.google.com/file/d/1cI3Qzfrly_X89z7StLWI5p_Jfqs0-OZv/view?usp=sharing) | [CDXA-OWASP-SAMM](http://link.com) |

## NIST Secure Software Development Framework (SSDF)
TODO

## PCI Security Standards Council
TODO

### PCI Secure SLC
TODO

### PCI Secure Software Standard
TODO

## Build Security In Maturity Model (BSIMM)
TODO

## OWASP Application Security Verification Standard (ASVS)
TODO

## OWASP Mobile Application Security Verification Standard (MASVS)
TODO

## OWASP Software Component Verification Standard (SCVS)
TODO

## OWASP Software Assurance Maturity Model (SAMM)
TODO



TODO / Add table that lists standards and the CDX version of those standards

TODO / Include example standard snippet

<div style="page-break-after: always; visibility: hidden">
\newpage
Expand Down
Loading