NIST 800-53 mapping #113

7a opened this Issue Dec 11, 2013 · 4 comments


None yet

4 participants

OWASP OWTF Crew member
7a commented Dec 11, 2013

A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!

OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:
1) OWASP is shuffling OWASP Testing Guide codes: This means we should move away from using OWASP codes in plugin names in the future.
2) There are other standards, like the NIST 800-53 security controls, that we should also try to map our plugins to.

The final NIST 800-53 document, from April 2013, can be found here:

The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.

To do this, the following is involved (from the top of my head!):
1) Change the web_testgroups.cfg configuration file to have a NEW column with the relevant code of the associated NIST 800-53 security control (Jim provided a file with this mapping!)
2) Create a lookup config file for NIST 800-53 security control code <-> description pairs
3) Change the OWTF report so that UNDER the OWASP Testing Guide item, we also show the relevant NIST 800-53 security control (BOTH code + description, as we do with the OWASP Testing Guide).
Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
4) Nice touch: Add the NIST security controls to the advanced OWTF filter so that a user is able to filter by the security controls they are testing


We might want to consider implementing this mapping in a sqlite3 database! I've got one set up already I just need to populate it with records.

OWASP OWTF Crew member
7a commented Dec 16, 2013

Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!

OWASP OWTF Crew member

Fixed in 3745111

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment