A huge thank you to Jim Kelly who provided a mapping of the NIST 800-53 security controls to the OWASP Testing Guide!
OWTF is currently aligned to the OWASP Testing Guide v3, which is still OK since v4 is far from complete. However, we need to make the mapping to standards a bit more flexible because:
1) OWASP is shuffling OWASP Testing Guide codes: This means we should move away from using OWASP codes in plugin names in the future.
2) There are other standards, like the NIST 800-53 security controls, that we should also try to map our plugins to.
The final NIST 800-53 document, from April 2013, can be found here:
The idea of this feature is to map the existing plugins (we will worry about the OWASP Testing Guide v4 when that is complete) to the NIST 800-53 security controls.
To do this, the following is involved (from the top of my head!):
1) Change the web_testgroups.cfg configuration file to have a NEW column with the relevant code of the associated NIST 800-53 security control (Jim provided a file with this mapping!)
2) Create a lookup config file for NIST 800-53 security control code <-> description pairs
3) Change the OWTF report so that UNDER the OWASP Testing Guide item, we also show the relevant NIST 800-53 security control (BOTH code + description, as we do with the OWASP Testing Guide).
Aesthetics note on point 3): Maybe this could be shown with a smaller font so that it does not take a lot more space?
4) Nice touch: Add the NIST security controls to the advanced OWTF filter so that a user is able to filter by the security controls they are testing
We might want to consider implementing this mapping in a sqlite3 database! I've got one set up already I just need to populate it with records.
Hi Jim, yes, good thinking. The mapping needs some form of a relational DB and sqlite is a good choice for organizing configuration information such as plugins vs. standards mappings. Thanks for providing the sqlite DB yourself!
Fixed in 3745111