-
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #8 from planetlevel/main
First draft
- Loading branch information
Showing
1 changed file
with
24 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,35 @@ | ||
| # Introduction | ||
| CycloneDX Attestations is a modern standard for security compliance. CycloneDX Attestations enables organizations with a machine-readable format for communication about security standards, claims about security requirements, and attestations to the veracity and completeness of those claims. You can think of Attestations as a way to manage "compliance as code." The Attestations project began in 2023 as part of the broader CycloneDX project. | ||
|
|
||
| CycloneDX is a modern standard for the software supply chain. At its core, CycloneDX is a general-purpose Bill of | ||
| Materials (BOM) standard capable of representing software, hardware, services, and other types of inventory. The CycloneDX | ||
| standard began in 2017 in the Open Worldwide Application Security Project (OWASP) community. CycloneDX is an OWASP | ||
| flagship project, has a formal standardization process and governance model, and is supported by the global information | ||
| security community. | ||
| Materials (BOM) standard capable of representing software, hardware, services, and other types of inventory. The CycloneDX standard began in 2017 in the Open Worldwide Application Security Project (OWASP) community. CycloneDX is an OWASP flagship project, has a formal standardization process and governance model, and is supported by the global information security community. | ||
|
|
||
| ## Intended Audience | ||
| TODO | ||
| CycloneDX Attestations is intended for use by: | ||
| * Software development teams that want to meet security requirements and automate security evidence generation and communication | ||
| * Security teams that want to ensure the security and compliance of software projects being created, and manage the compliance process with assessors. | ||
| * Executives who are required to attest to their compliance with security standards. | ||
| * Security assessors that want to have a standard way of processing compliance documentation and tracking compliance. | ||
| * Security tool providers that build software for managing compliance processes. | ||
| * Security standard creators that want to create a machine-readable version of their requirements. | ||
|
|
||
| ## Problem Statement | ||
| TODO | ||
| Currently, organizations use a variety of paper and non-standard electronic documents to communicate about security requirements, evidence, and attestation. The labor required to create, process, manage, update, and track these documents is expensive and overwhelming. And, unfortunately, the results are underwhelming. There are often large gaps between what the original requirement envisioned and the argument presented by the software producer. Similarly, assessors often misinterpret requirements and focus on minutae instead of the broader security posture. | ||
|
|
||
| The problem is so bad there are endless [articles](https://www.google.com/search?q=compliance+is+not+security) explaining why compliance is not the same as security. This is unfortunate. If the security requirements really represented the shared security interests of all stakeholders, then security and compliance would be aligned. | ||
|
|
||
| At the core, this problem is a communications problem. There is often a disconnect between a set of security requirements and the expected threats for a particular system and its corresponding defenses. Further, security requirements are never specific enough for development organizations to clearly understand what they must do with their particular system and technologies. At the same time, assessors often have difficulty understanding complex technologies to ensure that requirements are met. | ||
|
|
||
| Our challenge is to encourage builders and assessors to communicate effectively about how to ensure that the *intent* of each requirement is applied appropriately to a particular product or system and achieved with confidence. | ||
|
|
||
| ## How CycloneDX Addresses Challenge | ||
| TODO | ||
| ## How CycloneDX Attestations Addresses Challenge | ||
| CycloneDX Attestations can't solve this problem entirely. However, by allowing all parties to communicate in a standard machine-readable format, we hope to encourage more productive interaction and far less paperwork. We believe that machine-readable standards will encourage faster and deeper understanding by all parties. We also believe that the claims and evidence approach will allow development organizations to articulate their compliance rationale quickly and clearly. And we are optimistic that Attestations will enable all forms of assessors, certifiers, and accreditors to more quickly evaluate compliance and provide feedback to producers. | ||
|
|
||
| Over time, we expect better tools for managing all aspects of security attestation to emerge. As a producer, imagine being able to select appropriate standards for a project, eliminate duplication, articulate compliance rationales, automatically generate and include supporting evidence, manage reviews, and digitally sign attestations. From the assessor point of view, imagine being able to quickly evaluate claims and evidence, easily identify changes, point out gaps, and digitally sign approvals. | ||
|
|
||
| If you are interested in using CycloneDX Attestations or want to help us realize our vision, please join us! | ||
|
|
||
| <div style="page-break-after: always; visibility: hidden"> | ||
| \newpage | ||
| </div> | ||
|
|