From 665f9c0f82141c9846454cf7647a706ce9948411 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 18 Dec 2024 14:43:18 -0500
Subject: [PATCH 1/6] Update baseline.yaml - NEW - OSPS-DO-18

added proposal for Threat modeling, attack surface analysis, and/or data-flow analysis as part of process & docs

Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/baseline.yaml b/baseline.yaml
index 941c68c..e3b94e6 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -649,6 +649,33 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe: # TODO
 
+      - id: OSPS-DO-18   
+    maturity_level: 2
+    category: Documentation
+    criteria: |
+       The project MUST perform threat modeling and
+       attack surface analysis to understand and protect
+       against critical code paths, functions, and interactions 
+       with the system.
+    objective: |
+       Projects need to conduct threat modeling, attack 
+       surface analysis, and data-flow analysis in order
+       to understand, document, and plan protections
+       to avoid future explotation of threats and weaknesses.
+
+       Identifying these areas helps the project plan on
+        reducing potential attack surface and to harden 
+        the software from specific attacks.
+    implementation: |
+       Create a status check that checks the project's
+       version control system for documented threat 
+       modeling, attack surface analysis, and data flow analysis.
+    control_mappings: # TODO
+    security_insights_value: # TODO
+    scorecard_probe: #   
+
+ 
+
   - id: OSPS-LE-01
     maturity_level: 2
     category: Legal

From 92bf64fb08784357f40a49ddeae12ccb0b0b7bb8 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Wed, 18 Dec 2024 16:25:01 -0500
Subject: [PATCH 2/6] Update baseline.yaml

Co-authored-by: Puerco <puerco@users.noreply.github.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/baseline.yaml b/baseline.yaml
index e3b94e6..6683ed3 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -649,7 +649,7 @@ criteria:
     security_insights_value: # TODO
     scorecard_probe: # TODO
 
-      - id: OSPS-DO-18   
+  - id: OSPS-DO-18   
     maturity_level: 2
     category: Documentation
     criteria: |

From b1c62eebf8381c8297f8cc60f4cc7b6ca61d08ea Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Fri, 20 Dec 2024 09:53:32 -0500
Subject: [PATCH 3/6] Update baseline.yaml

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/baseline.yaml b/baseline.yaml
index 6683ed3..70668fb 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -670,6 +670,11 @@ criteria:
        Create a status check that checks the project's
        version control system for documented threat 
        modeling, attack surface analysis, and data flow analysis.
+       
+       The location of the written threat model MAY be expressed using [the `security-artifacts.threat-model`
+       fields in `SECURITY-INSIGHTS.yaml`](https://github.com/ossf/security-insights-spec/blob/main/specification/security-artifacts.md),
+       or via a [SPDX external reference](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/ExternalRefType/)
+       of type `securityThreatModel`, for example.
     control_mappings: # TODO
     security_insights_value: # TODO
     scorecard_probe: #   

From 79ef74214a6dec49ee8035f8698958dc52215f79 Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:24:50 -0500
Subject: [PATCH 4/6] Update baseline.yaml

Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/baseline.yaml b/baseline.yaml
index 70668fb..493cc84 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -655,8 +655,8 @@ criteria:
     criteria: |
        The project MUST perform threat modeling and
        attack surface analysis to understand and protect
-       against critical code paths, functions, and interactions 
-       with the system.
+       against attacks on critical code paths, functions, and interactions 
+       within the system.
     objective: |
        Projects need to conduct threat modeling, attack 
        surface analysis, and data-flow analysis in order

From a4e59421bbd374c7843a3376698222e41777489c Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:24:58 -0500
Subject: [PATCH 5/6] Update baseline.yaml

Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/baseline.yaml b/baseline.yaml
index 493cc84..cfeb859 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -658,8 +658,8 @@ criteria:
        against attacks on critical code paths, functions, and interactions 
        within the system.
     objective: |
-       Projects need to conduct threat modeling, attack 
-       surface analysis, and data-flow analysis in order
+       Projects need to conduct threat modeling and attack 
+       surface analysis in order
        to understand, document, and plan protections
        to avoid future explotation of threats and weaknesses.
 

From 7623b8858e5d9ab0f43a56f981beefbd3c21626e Mon Sep 17 00:00:00 2001
From: CRob <69357996+SecurityCRob@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:25:07 -0500
Subject: [PATCH 6/6] Update baseline.yaml

Co-authored-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
---
 baseline.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/baseline.yaml b/baseline.yaml
index cfeb859..d7703ce 100644
--- a/baseline.yaml
+++ b/baseline.yaml
@@ -667,6 +667,11 @@ criteria:
         reducing potential attack surface and to harden 
         the software from specific attacks.
     implementation: |
+       Select a threat modeling approach such as STRIDE, DREAD, PASTA, or VAST, then apply it.
+       This will typically involve identifying the scope and purpose of the system,
+       identifying its assets (which need protection), examining the architecture for threats,
+       determining their likelihood and impact, and selecting mitigation strategies.
+     autofill: |
        Create a status check that checks the project's
        version control system for documented threat 
        modeling, attack surface analysis, and data flow analysis.