OWASP AppSec Designer Security Functional Requirements & Countermeasures Libraries

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * style="border-right: 1px dotted gray;padding-right:25px;" valign="top" | THIS PAGE IS UNDER CONSTRUCTION 

Description
The most overtly detailed security blueprint you will ever need.

Develop rule sets for use by AppSec Designer (TM), and any other tool choosing to use them, to define threat countermeasures and their related security functional component requirements. The security components, as defined by their packages of security functional requirements, may also be used to model application architecture and security design throughout the development life cycle.

Security Functional Requirements Libraries, including the packaging of requirements according to objective, and enabling their application according to platform, provide a means of standardizing all of the finer details of security architecture and design details enumerated in a fashion that may be machine-readable by the design tool of choice. Security components are described as consisting of packages of requirements, reconciled to security design patterns. For example, while a mutual TLS component may include 25 requirements after expanding interdependencies, one-way TLS would be a different security component consisting of fewer requirements.

Threat Model and Countermeasure Libraries provide a means of standardizing the maximum set of Attack Trees for an organization to use for manually performed Threat Modeling activities. Once the threats are identified, the libraries provide a mapping to the applicable countermeasures by platform. These countermeasures are expressed in terms of security components, as defined by the Security Functional Requirements Libraries.

Sources:

1.      “Enumerating software security design flaws throughout the SSDLC”, John M. Willis, 2016, 23rd International Computer Security Symposium and 8th SABSA World Congress, https://www.slideshare.net/pinfosec/enumerating-software-security-design-flaws-throughout-the-ssdlc (Last accessed October 23, 2017)

2.       “Catalog of Security Tactics linked to Common Criteria Requirements”, Christopher Preschern, 2012, http://hillside.net/plop/2012/papers/Group%202%20-%20Rattlesnake/Catalog%20of%20Security%20Tactics%20linked%20to%20Common%20Criteria%20Requirements.pdf (Last accessed October 23, 2017)

3.      “Security Functional Requirements Analysis for Developing Secure Software, Doctoral Thesis, Dan Wu, May 2007,  http://csse.usc.edu/TECHRPTS/PhD_Dissertations/files/Wu_Dissertation.pdf (Last accessed October 23, 2017)

4.      Threat Modeling – Designing for Security, Adam Shostack, John Wiley & Sons, 2014 (esp. Appendix B, Threat Trees)

5.      Common Attack Pattern Enumeration and Classification (CAPEC), http://capec.mitre.org/

6.      Web Application Security Consortium (WASC) Threat Classification

More information on AppSec Designer (TM) is available at http://www.turnaroundsecurity.com/AppSec%20Designer%20(TM)%20-%20Product%20Information%20Sheet%20-%20v.2.1%20-%20TurnaroundSecurity.com.pdf and https://www.kickstarter.com/projects/appsecdesigner/appsec-designer-tm?ref=e1sv1t.

Licensing
OWASP AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements is free to use. It is licensed under the Apache Software License version 2 (ASLv2), so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

Project Resources
Source Code

Slide Presentation

Video

Project Leader
John M. Willis

Related Projects

 * TBD

Classifications

 * style="padding-left:25px;width:200px;" valign="top" |

News and Events

 * [11 Nov 2017] Initial upload of files to github.


 * }

=FAQs=

How can I participate in your project?
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer. The project needs different skills and expertise and different times during its development. Currently, we are looking for people to define security components, finalize a threat tree, and define countermeasures for each threat (on web app platform). Neo4j expertise would also be helpful.

= Acknowledgements =

Volunteers
The OWASP AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements project is developed by a worldwide team of volunteers.

The first contributors to the project were:


 * John M. Willis who created the AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements project
 * Ping Ning who provided feedback on the initial project description

= Road Map and Getting Involved = As of November, 2017, the highest priorities for the next 6 months are:

Security Functional Requirements Libraries

Base Library
 * Define packages of functional requirements to achieve specific security goals (e.g., Preschern).
 * Define interdependencies between security functional requirements (e.g., Common Criteria).

Threat Model and Countermeasures Libraries

Base Library
 * Choose or create an attack tree to be used as the base starting point (e.g., Shostack, CAPEC).
 * Define countermeasure options for the web app platform type for each attack type (specifying the relevant security functional requirements).

Subsequent Releases will add:

Security Functional Requirements Libraries

Base Library Custom Application Libraries
 * Define additional platform types, then how they affect the security functional requirements within the security requirements packages (e.g., Wu).
 * Determine list of high priority applications necessitating their own libraries (e.g., a different platform)
 * Prioritize the list
 * Work the list

Threat Model and Countermeasures Libraries

Base Library Custom Threat Countermeasure Libraries
 * Define platform types to be supported (align with security functional requirements base library).
 * Define countermeasure options for each additional platform type for each attack type (specifying the relevant security functional requirements).
 * Determine list of high priority scenarios necessitating their own libraries (e.g., a different platform)
 * Prioritize the list
 * Work the list

See the github TODO for details.

Getting Involved
Involvement in the development and promotion of the OWASP AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements project is actively encouraged! You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:

Defining Security Components
Can you identify a list of security components to standardize upon? Can you identify security architecture and design patterns to baseline then against? We want to create a standardized set of security components based upon existing or new patterns.

Finalizing a Threat Tree
Do you have experience specifying threat trees? Can you help standardized on a Threat Tree for OWASP? We want something that can be used as a standard, or as a starting point, for organizations to use when performing Threat Modeling.

Defining Countermeasures for each Threat
Can you identify what it takes to counter threats? We want to associate a Security Component with each threat. We will start with the web application platform.

Defining Relationships and Queries using Neo4j
Do you know how to create nodes and relationships with Neo4j? We need help translating all of this good work into something a computer can understand and use. Do you know how to craft queries using Neo4j? We need help generating various queries.

Localization
Are you fluent in another language? Can you help translate the text strings in the Security Functional Requirements into that language?

Testing
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.

Feedback
Please use the OWASP AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements project mailing list for feedback about:  What do like? What don't you like? What features would you like to see prioritized on the roadmap? 

=Minimum Viable Product= The OWASP AppSec Designer Rule Sets for Threat Countermeasures and Security Functional Requirements project must include the base Security Functional Requirements, and Threat Model and Countermeasures, libraries, including:
 * A comprehensive set of Security Components are defined for the web application platform, each consisting of one or more Security Requirements Packages, each made up of Security Functional Requirements, and accompanying Security Functional Requirements Text
 * Security Components are reconciled against security architecture and design patterns
 * Dependencies between Security Functional Requirements are defined

It would also be ideal if the Security Functional Requirements Text was translated into different languages.
 * A base Threat Tree is agreed upon.
 * Countermeasure options for the web application platform type for each threat in the Threat Tree are defined, specifying the relevant Security Components.