OWASP Cloud Security Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

The OWASP Cloud Security Project
The rise of DevOps and cloud computing has given organisations unprecedented access to feature-rich and high-scalable elastic platforms that allow them to deliver products and services with a velocity and agility that has never been seen before.

But with new capabilities come new attack vectors. The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat model templates and security control BDD stories that pool together the expertise and experience of the development, operations and security communities.

Why threat modelling?
Threat modelling addresses security issues at a fundamental, architectural level. Rather than trying to bolt on controls haphazardly, threat modelling results in more robust and secure systems by baking security into the design as well as identifying the gaps and weaknesses. Using templates allows the sharing of common threats in a way that can be tweaked and tuned by individual organisations. Improvements to the threat models can then be fed back to the community for the benefit of everyone.

Why BDD?
Behaviour Driven Development (BDD) adds a natural language layer on top of test-driven development by defining requirements in a machine parsable language that is also human readable. While adoption of BDD within development communities has been mixed (often because the developers end up having to duplicate effort as both producers and consumers of the BDD stories), BDD is actually an excellent fit for representing security control requirements in a way that is also continuously testable. Rather than burying a control requirement in a policy document that nobody reads, it can be represented in a way that an auditor would be happy with at the same time as being implemented as automated detective or preventative tests.

By bringing together threat model templates and BDD stories for mitigating controls, provided by the community, the OWASP Cloud Security project helps organisations understand the risks they face on their journey into the cloud.

Description
The OWASP Cloud Security project started life as a BDD for Cloud Security session held at the awesome OWASP Summit 2017. In this session approximately ten people spent an hour discussing whether it made sense to use BDD a way of capturing cloud control requirements in a way that fostered collaboration between development, operations, and security. The question then became - where do the requirements come from? PCI/DSS or some other standard? After spending the rest of the summit in various threat modelling sessions, it became clear to the project leader that it would be good to threat model the cloud services and then to write BDD stories for the mitigating controls from those threat models.

This project provides the following for an ever-expanding list of cloud providers and services:


 * Threats stored as machine-parsable YAML files
 * Threats stored as human-friendly README files (generated from YAML)
 * Mitigating controls as BDD stories in Gherkin-like feature files
 * Proof-of-concept attack scripts and tools

Licensing
'''The OWASP Cloud Security project resources are all completely free to use!

Documentation and related resources are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Code is licensed under the MIT license.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is OWASP Cloud Security Project?
The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat model templates and security control BDD stories that pool together the expertise and experience of the development, operations, and security communities.

Please contribute!

Presentation

 * DevSecCon London 2017

Project Leader

 * Fraser Scott

Related Projects

 * OWASP Staypuft - Launching November 10th 2017

Openhub

 * OWASP Project Openhub


 * valign="top" style="padding-left:25px;width:200px;" |

Source code and documentation
The home of the OWASP Cloud Security project is on is on GitHub. You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.

Please note that the project is still in its own organisation. This will be moved over to the OWASP organisation soon.

News and Events
Coming soon!

In Print
This project is not currently available to purchase as a book.

Classifications

 * }

=FAQs=

How can I participate in your project?
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

For more information, visit the GitHub repository.

= Acknowledgements =

Contributors
The OWASP Cloud Security project is developed by volunteers. A live update of project contributors is found here.

The first contributors to the project were:


 * Fraser Scott
 * YOUR NAME BELONGS HERE

= Road Map and Getting Involved =

As of October 2017, the priorities are:


 * Threat models and BDD stories for top 10 AWS services
 * Threat models and BDD stories for top 10 Azure services
 * Threat models and BDD stories for top 10 Google Cloud Platform services
 * Provider-agnostic threat models and BDD stories
 * Threats models and BDD stories based on published standards (e.g. PCI/DSS) and best-practices (e.g. whitepapers)