NIST 800-53 mapping #113

Closed
7a opened this Issue Dec 11, 2013 · 4 comments

Projects

None yet

4 participants

@7a
OWASP OWTF Crew member
7a commented Dec 11, 2013

A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!

Background:
OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:
1) OWASP is shuffling OWASP Testing Guide codes: This means we should move away from using OWASP codes in plugin names in the future.
2) There are other standards, like the NIST 800-53 security controls, that we should also try to map our plugins to.

The final NIST 800-53 document, from April 2013, can be found here:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Feature:
The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.

To do this, the following is involved (from the top of my head!):
1) Change the web_testgroups.cfg configuration file to have a NEW column with the relevant code of the associated NIST 800-53 security control (Jim provided a file with this mapping!)
2) Create a lookup config file for NIST 800-53 security control code <-> description pairs
3) Change the OWTF report so that UNDER the OWASP Testing Guide item, we also show the relevant NIST 800-53 security control (BOTH code + description, as we do with the OWASP Testing Guide).
Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
4) Nice touch: Add the NIST security controls to the advanced OWTF filter so that a user is able to filter by the security controls they are testing

@macubergeek

We might want to consider implementing this mapping in a sqlite3 database! I've got one set up already I just need to populate it with records.

@7a
OWASP OWTF Crew member
7a commented Dec 16, 2013

Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!

@macubergeek
@tunnelshade
OWASP OWTF Crew member

Fixed in 3745111

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment