Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIST 800-53 mapping #113

Closed
7a opened this issue Dec 11, 2013 · 4 comments
Closed

NIST 800-53 mapping #113

7a opened this issue Dec 11, 2013 · 4 comments
Assignees
@a0xnirudh
Labels
Feature

Comments

@7a
Copy link
Member

7a commented Dec 11, 2013

A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!

Background:
OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:

  1. OWASP is shuffling OWASP Testing Guide codes: This means we should move away from using OWASP codes in plugin names in the future.
  2. There are other standards, like the NIST 800-53 security controls, that we should also try to map our plugins to.

The final NIST 800-53 document, from April 2013, can be found here:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Feature:
The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.

To do this, the following is involved (from the top of my head!):

  1. Change the web_testgroups.cfg configuration file to have a NEW column with the relevant code of the associated NIST 800-53 security control (Jim provided a file with this mapping!)
  2. Create a lookup config file for NIST 800-53 security control code <-> description pairs
  3. Change the OWTF report so that UNDER the OWASP Testing Guide item, we also show the relevant NIST 800-53 security control (BOTH code + description, as we do with the OWASP Testing Guide).
    Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
  4. Nice touch: Add the NIST security controls to the advanced OWTF filter so that a user is able to filter by the security controls they are testing
@macubergeek
Copy link

We might want to consider implementing this mapping in a sqlite3 database! I've got one set up already I just need to populate it with records.

@7a
Copy link
Member Author

7a commented Dec 16, 2013

Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!

@macubergeek
Copy link

I'm going to add a new table with vuln descriptions to the db I sent you sometime this week.
If you need the db changed let me know, it's super easy.

Jim

On Dec 16, 2013, at 6:35 AM, Abraham Aranguren notifications@github.com wrote:

Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!


Reply to this email directly or view it on GitHub.

@flabbergastedbd
Copy link
Contributor

Fixed in 3745111

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@a0xnirudh a0xnirudh

Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@macubergeek @7a @flabbergastedbd @a0xnirudh