Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature to map / gap analyse two standards #324

Closed
robvanderveer opened this issue Jul 13, 2023 · 2 comments
Closed

Feature to map / gap analyse two standards #324

robvanderveer opened this issue Jul 13, 2023 · 2 comments
Assignees
@john681611

Comments

@robvanderveer
Copy link
Collaborator

robvanderveer commented Jul 13, 2023
edited
Loading

The mapping between two standards (say SAMM and NIST SSDF) can be done using the following algorithm.
Take SAMM
Go by every entry.
See if an SSDF entry is linked directly: output that
If not: walk upwards through parents until maybe an SSDF entry is linked directly to that: if so: report that and stop going upward
If nothing found: again, walk upwards and from the parent walk down to other children and report SSDF links with those, if any.
In addition: go to linked topics and report any SSDF entry linked to that, and add that it is through a linked topic.
With every SSDF entry, report the graph-steps that were taken to reach it.

Examples:
SAMM Training and awareness ->

Linked through Technical application security training ->
SSDF : PO.2.2 : Provide role-based training for all personnel with responsibilities that etc.

SAMM Architecture design ->

Linked through 'Architecture/design processes' through child ->
Describe high-level system architecture and perform threat modeling on it every critical change and regularly ->
SSDF : PW.1.1 : Use forms of risk modeling – such as threat modeling, etc. etc.

Linked to related 'Setup and maintain a secure software development process' ->
SSDF : PO.1.1 : Identify and document all security requirements etc.
SSDF : PO.3.1 : Specify which tools or tool types must or should be included..
SSDF : PO.3.2 : Follow recommended security practices to deploy, operate, and maintain tools etc.
SSDF : PO.5.1 : Separate and protect each environment involved in software development.
SSDF : PO.5.2 : Secure and harden development endpoints etc.

SAMM Technology management ->

Linked through 'Security requirements' to->
NIST SSDF : PO.1.2 : Identify and document all security requirements for developed software etc.

Linked to related 'Setup and maintain a secure software development process' ->
SSDF : PO.1.1 : Identify and document all security requirements etc.
SSDF : PO.3.1 : Specify which tools or tool types must or should be included..
SSDF : PO.3.2 : Follow recommended security practices to deploy, operate, and maintain tools etc.
SSDF : PO.5.1 : Separate and protect each environment involved in software development.
SSDF : PO.5.2 : Secure and harden development endpoints etc.
@john681611
Copy link
Contributor

Plan: Use Neo4j (Docker for local, aura for hosted (free possible))
Modify CRE_Graph (db.py 159, CRE_Graph) to create nodes and edges in the. neo4j DB.
Use this query concept for gap analysis :D https://neo4j.com/developer/kb/all-shortest-paths-between-set-of-nodes/

@john681611 john681611 mentioned this issue Aug 2, 2023
Closed
8 tasks
@john681611 john681611 mentioned this issue Sep 7, 2023
Merged
@robvanderveer
Copy link
Collaborator Author

Nice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@john681611 john681611

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robvanderveer @john681611