Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added new category for threat modeling #126

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Added new category for threat modeling #126

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3cf5103
Added new category for threat modeling
eddie-knight Jan 3, 2025
9dd57b3
Added TM-04
eddie-knight Jan 4, 2025
239ef55
Apply suggestions from code review
eddie-knight Jan 7, 2025
d25b8d0
Apply suggestions from code review
eddie-knight Jan 7, 2025
3508afc
Apply suggestions from code review
eddie-knight Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,12 @@ Each entry has the following values:
- Level 2: for any code project that has at least 2 maintainers and a small number of consistent users
- Level 3: for any code project that has a large number of consistent users
- **Category**:
- Access Control
- Build & Release
- Documentation
- Quality
- Legal
- AC: Access Control
- BR: Build & Release
- DO: Documentation
- LE: Legal
- QA: Quality
- SA: Security Assessment
- **Criterion**:
- A concise statement of the requirement
- Contains `MUST` or `MUST NOT` and is written in present tense
Expand Down
58 changes: 43 additions & 15 deletions baseline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,16 +404,17 @@ criteria:
scorecard_probe:
- # None, may not be suitable

- id: OSPS-DO-03
- id: OSPS-SA-01
maturity_level: 2
category: Documentation
category: Threat Modeling
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to either update the "category" label here, or auto-generate it from the id.

criterion: |
The project documentation MUST provide user
guides for all basic functionality.
rationale: |
Ensure that users have a clear and
comprehensive understanding of the project's
current features in order to prevent damage
Ensure that users and threat assessors have a
clear and comprehensive understanding of the
project's current features in order to
streamline assessments and prevent damage
from misuse or misconfiguration.
details: |
Create user guides or documentation for all
Expand All @@ -423,7 +424,8 @@ criteria:
known dangerous or destructive actions
available, include highly-visible warnings.
control_mappings: # TODO
security_insights_value: # TODO
security_insights_value: |
project.documentation.detailed-guide

- id: OSPS-DO-04
maturity_level: 2
Expand Down Expand Up @@ -505,9 +507,9 @@ criteria:
control_mappings: # TODO
security_insights_value: # TODO

- id: OSPS-DO-07
- id: OSPS-SA-02
maturity_level: 2
category: Documentation
category: Threat Modeling
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
criterion: |
The project documentation MUST provide
design documentation demonstrating all
Expand Down Expand Up @@ -550,19 +552,19 @@ criteria:
control_mappings: # TODO
security_insights_value: # TODO

- id: OSPS-DO-09
- id: OSPS-SA-03
maturity_level: 3
category: Documentation
category: Threat Modeling
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
criterion: |
The project documentation MUST include
descriptions of all external input and output
interfaces of the released software assets.
rationale: |
Provide users and developers with an
understanding of how to interact with the
project's software and integrate it with
other systems, enabling them to use the
software effectively.
Provide users, contributors, and assessors
with an understanding of how to interact with
the project's software to integrate it with
other systems, enabling them to fully
understand the software's capabilities.
details: |
Document all input and output interfaces of
the released software assets, explaining how
Expand Down Expand Up @@ -960,6 +962,32 @@ criteria:
security_insights_value: # TODO
scorecard_probe: # sastToolRunsOnAllCommits

- id: OSPS-TM-04
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- id: OSPS-TM-04
- id: OSPS-SA-04

maturity_level: 2
category: Threat Modeling
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
criterion: |
The project documentation MUST include a
document that details the assets, threats,
and mitigations for the project.
rationale: |
Provide a structured approach to identifying
and addressing security threats to the
project, enabling contributors and users to
understand the risks and mitigations in place.
details: |
Create a threat model or assessment for the
project. This will identify the assets,
threats, and mitigations for the project.
Include information on the potential threats
to the project's assets and the measures in
place to mitigate those threats.

The authoring process will be simplified if
including or referencing the output from
OSPS-TM-01, OSPS-TM-02, and OSPS-TM-03.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These links are probably wrong.

control_mappings: # TODO
security_insights_value: # TODO

# # # #
#
# Lexicon
Expand Down
Loading