Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add proposal for threat modeling/attack analysis - NEW - OSPS-DO-18 #121

Closed
wants to merge 6 commits into from
Closed

Add proposal for threat modeling/attack analysis - NEW - OSPS-DO-18 #121

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
665f9c0
Update baseline.yaml - NEW - OSPS-DO-18
SecurityCRob Dec 18, 2024
92bf64f
Update baseline.yaml
SecurityCRob Dec 18, 2024
b1c62ee
Update baseline.yaml
SecurityCRob Dec 20, 2024
79ef742
Update baseline.yaml
SecurityCRob Jan 2, 2025
a4e5942
Update baseline.yaml
SecurityCRob Jan 2, 2025
7623b88
Update baseline.yaml
SecurityCRob Jan 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions baseline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -649,6 +649,43 @@ criteria:
security_insights_value: # TODO
scorecard_probe: # TODO

- id: OSPS-DO-18
maturity_level: 2
category: Documentation
criteria: |
The project MUST perform threat modeling and
attack surface analysis to understand and protect
against attacks on critical code paths, functions, and interactions
within the system.
objective: |
Projects need to conduct threat modeling and attack
surface analysis in order
to understand, document, and plan protections
to avoid future explotation of threats and weaknesses.

Identifying these areas helps the project plan on
reducing potential attack surface and to harden
the software from specific attacks.
implementation: |
Select a threat modeling approach such as STRIDE, DREAD, PASTA, or VAST, then apply it.
This will typically involve identifying the scope and purpose of the system,
identifying its assets (which need protection), examining the architecture for threats,
determining their likelihood and impact, and selecting mitigation strategies.
autofill: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
autofill: |
autofill: |

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that autofill is in our schema.

Create a status check that checks the project's
version control system for documented threat
modeling, attack surface analysis, and data flow analysis.

The location of the written threat model MAY be expressed using [the `security-artifacts.threat-model`
fields in `SECURITY-INSIGHTS.yaml`](https://github.com/ossf/security-insights-spec/blob/main/specification/security-artifacts.md),
or via a [SPDX external reference](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/ExternalRefType/)
of type `securityThreatModel`, for example.
control_mappings: # TODO
security_insights_value: # TODO
scorecard_probe: #



- id: OSPS-LE-01
maturity_level: 2
category: Legal
Expand Down
Loading