GitHub - OWASP/AppSec-Designer-Rule-Sets-for-Threat-Countermeasures-and-Security-Functional-Requirements: The most overtly detailed security blueprint you will ever need. Develop rule sets for use by Neo4j, AppSec Designer (TM), and any other tool choosing to use them, to define threat countermeasures and their related security functional component requirements.

OWASP / AppSec-Designer-Rule-Sets-for-Threat-Countermeasures-and-Security-Functional-Requirements Public

Notifications You must be signed in to change notification settings
Fork 3
Star 11

The most overtly detailed security blueprint you will ever need. Develop rule sets for use by Neo4j, AppSec Designer (TM), and any other tool choosing to use them, to define threat countermeasures and their related security functional component requirements.

11 stars 3 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
Data Model.txt		Data Model.txt
Enumerating Software Security Design Flaws Throughout the SSDLC - COSAC 2016 - OWASP Project 2017.pptx		Enumerating Software Security Design Flaws Throughout the SSDLC - COSAC 2016 - OWASP Project 2017.pptx
NODE.Goals.csv		NODE.Goals.csv
NODE.Instance.csv		NODE.Instance.csv
NODE.Nodes.csv		NODE.Nodes.csv
NODE.RequirementText.csv		NODE.RequirementText.csv
NOTICE		NOTICE
Queries.txt		Queries.txt
README		README
REL.Dependencies.csv		REL.Dependencies.csv
REL.Instance.csv		REL.Instance.csv
REL.NodeTypes.csv		REL.NodeTypes.csv
REL.Packages.csv		REL.Packages.csv
REL.ReqtText.csv		REL.ReqtText.csv
STRIDE Attack Tree Mitigations.xlsx		STRIDE Attack Tree Mitigations.xlsx
TODO		TODO
rebuild.sh		rebuild.sh

Repository files navigation

README

This project is for defining a common set of security components based upon security requirements packages, consisting of security functional requirements (SFRs) which address various security goals/tactics/objectives. In addition, this project is for defining a set of threat/attack tree countermeasures, based upon technology platform, specifying the aforementioned applicable security components. The initial set of SFR data includes Common Criteria SFRs, and their interdependencies. Using neo4j, the physical instances of each security component may be modeled. The logical instance of each security component may then be expanded to report all dependent SFRs.

While initially developed for use with AppSec Designer (TM) from Turnaround Security, these data form a critical starting point for developing a robust community-driven set of rules, or libraries, for use in modeling the archtecture and design of the security components of applications. AppSec Designer (TM) is not required for using this data, as it may be entered and reported upon directly using neo4j.

For a conceptual overview of how AppSec Designer (TM) uses this data, see the video at https://www.kickstarter.com/projects/appsecdesigner/appsec-designer-tm, and the earlier PowerPoint presentation "Enumerating software security design flaws throughout the SSDLC".