Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proposal for threat modeling/attack analysis - NEW - OSPS-DO-18 #121

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add proposal for threat modeling/attack analysis - NEW - OSPS-DO-18 #121

wants to merge 6 commits into from

Conversation

SecurityCRob
Copy link
Contributor

added proposal for Threat modeling, attack surface analysis, and/or data-flow analysis as part of process & docs

@SecurityCRob
Update baseline.yaml - NEW - OSPS-DO-18
665f9c0 
added proposal for Threat modeling, attack surface analysis, and/or data-flow analysis as part of process & docs

Signed-off-by: CRob <[email protected]>
puerco
puerco reviewed Dec 18, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml Show resolved Hide resolved
evankanderson
evankanderson reviewed Dec 18, 2024
View reviewed changes
Copy link
Contributor

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on providing specific examples of how to locate the threat model. I think it's fine to grow more examples over time, but leaving this a blank slate makes it hard for tools and project owners to converge on a small set of solutions rather than balls of markdown.

baseline.yaml Show resolved Hide resolved
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 18, 2024
SecurityCRob and others added 2 commits December 18, 2024 16:25
@SecurityCRob @puerco
Update baseline.yaml
92bf64f 
Co-authored-by: Puerco <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @evankanderson
Update baseline.yaml
b1c62ee 
Co-authored-by: Evan Anderson <[email protected]>
Signed-off-by: CRob <[email protected]>
david-a-wheeler
david-a-wheeler reviewed Dec 20, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
david-a-wheeler
david-a-wheeler reviewed Dec 20, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
david-a-wheeler
david-a-wheeler reviewed Dec 20, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
SecurityCRob and others added 3 commits January 2, 2025 11:24
@SecurityCRob @david-a-wheeler
Update baseline.yaml
79ef742 
Co-authored-by: David A. Wheeler <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @david-a-wheeler
Update baseline.yaml
a4e5942 
Co-authored-by: David A. Wheeler <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @david-a-wheeler
Update baseline.yaml
7623b88 
Co-authored-by: David A. Wheeler <[email protected]>
Signed-off-by: CRob <[email protected]>
david-a-wheeler
david-a-wheeler approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@david-a-wheeler david-a-wheeler left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking this could be clarified further, but having specific examples is a step forward.

I'm wavering on whether or not this should be level 2 or level 3. I can see an argument for level 3. However, a simple basic threat modeling analysis isn't that hard, especially since we don't specify the level of depth. So I'm just saying "yes" here.

@eddie-knight
Copy link
Contributor

As much as I'm usually a proponent of threat models, I'm not a fan of the complexity here. Definitely not for level 2.

We don't want to hold small project teams to an overly rigorous standard, and even the simplest threat model processes can become very cumbersome. In contrast, the self-assessments we've discussed previously could accomplish most of our goals without the added rigor of a threat model.

The process we've been following already seems to cover 2/3 of the goals here:

  • DO-03 covers the "scope and purpose of the system" (though perhaps this could be more direct)
  • DO-07 and DO-09 cover actors, actions, inputs, and outputs— similar to "identifying its assets (which need protection), examining the architecture for threats"
  • A gap still exists on documenting "threats, determining their likelihood and impact, and selecting mitigation strategies."

@mlieberman85
Copy link

I agree with Eddie. I still think we have something like a risk profile missing here. For example I can see us requiring this for Level 2 if Low Risk projects are excluded until Level 3 or something like that.

@eddie-knight eddie-knight mentioned this pull request Jan 3, 2025
Open
@funnelfiasco funnelfiasco changed the title Update baseline.yaml - NEW - OSPS-DO-18 Add proposal for threat modeling/attack analysis - NEW - OSPS-DO-18 Jan 6, 2025
@SecurityCRob
Copy link
Contributor Author

We will create a new category for "Security Assessments" and move this there. This will be OSPS-SA-02.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evankanderson evankanderson evankanderson left review comments

@puerco puerco puerco left review comments

@TheFoxAtWork TheFoxAtWork TheFoxAtWork approved these changes

@david-a-wheeler david-a-wheeler david-a-wheeler approved these changes

@funnelfiasco funnelfiasco Awaiting requested review from funnelfiasco

@eddie-knight eddie-knight Awaiting requested review from eddie-knight

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@SecurityCRob @eddie-knight @mlieberman85 @david-a-wheeler @puerco @evankanderson @TheFoxAtWork