You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!
Background:
OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:
OWASP is shuffling OWASP Testing Guide codes: This means we should move away from using OWASP codes in plugin names in the future.
There are other standards, like the NIST 800-53 security controls, that we should also try to map our plugins to.
Feature:
The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.
To do this, the following is involved (from the top of my head!):
Change the web_testgroups.cfg configuration file to have a NEW column with the relevant code of the associated NIST 800-53 security control (Jim provided a file with this mapping!)
Create a lookup config file for NIST 800-53 security control code <-> description pairs
Change the OWTF report so that UNDER the OWASP Testing Guide item, we also show the relevant NIST 800-53 security control (BOTH code + description, as we do with the OWASP Testing Guide).
Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
Nice touch: Add the NIST security controls to the advanced OWTF filter so that a user is able to filter by the security controls they are testing
The text was updated successfully, but these errors were encountered:
Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!
Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!
—
Reply to this email directly or view it on GitHub.
A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!
Background:
OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:
The final NIST 800-53 document, from April 2013, can be found here:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Feature:
The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.
To do this, the following is involved (from the top of my head!):
Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
The text was updated successfully, but these errors were encountered: