Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update baseline.yaml - NEW - OSPS-DO-18 #121

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

SecurityCRob
Copy link
Contributor

added proposal for Threat modeling, attack surface analysis, and/or data-flow analysis as part of process & docs

added proposal for Threat modeling, attack surface analysis, and/or data-flow analysis as part of process & docs

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml Show resolved Hide resolved
Copy link

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on providing specific examples of how to locate the threat model. I think it's fine to grow more examples over time, but leaving this a blank slate makes it hard for tools and project owners to converge on a small set of solutions rather than balls of markdown.

baseline.yaml Show resolved Hide resolved
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 18, 2024
SecurityCRob and others added 2 commits December 18, 2024 16:25
Co-authored-by: Puerco <puerco@users.noreply.github.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
Comment on lines +658 to +659
against critical code paths, functions, and interactions
with the system.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
against critical code paths, functions, and interactions
with the system.
against attacks on critical code paths, functions, and interactions
within the system.

Presumably we don't want to prevent the use of critical code paths :-).

Comment on lines +661 to +662
Projects need to conduct threat modeling, attack
surface analysis, and data-flow analysis in order
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Projects need to conduct threat modeling, attack
surface analysis, and data-flow analysis in order
Projects need to conduct threat modeling and attack
surface analysis in order

Just say threat modeling. Data flow analysis typically follows on as part of threat modeling, but you can do lots of data flow analysis that has nothing to do with security, and there's no need to require it. Just require the threat modeling and I think you're covered.

Comment on lines +669 to +672
implementation: |
Create a status check that checks the project's
version control system for documented threat
modeling, attack surface analysis, and data flow analysis.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
implementation: |
Create a status check that checks the project's
version control system for documented threat
modeling, attack surface analysis, and data flow analysis.
implementation: |
Select a threat modeling approach such as STRIDE, DREAD, PASTA, or VAST, then apply it.
This will typically involve identifying the scope and purpose of the system,
identifying its assets (which need protection), examining the architecture for threats,
determining their likelihood and impact, and selecting mitigation strategies.
autofill: |
Create a status check that checks the project's
version control system for documented threat
modeling, attack surface analysis, and data flow analysis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants