Security Standards

Security Standards#

Applying Standards and Best Practices#

Using well-established security standards and best practices is one of the simplest ways to reduce security risks. However, challenges with security standards are:

  • Too Many and Inconsistent Standards: Some standards are not that good and do not make sense.

  • Some standards are not open and are proprietary. You must pay to receive such a document and figure out how to implement the standards.

  • Some standards decrease your security baseline. Not all standards published are good and should be used.

  • Most standards are too high level and leave room for interpretation at implementation level. This has cause security breaches in the past and will cause security breaches in the future.

Some government certifications require compliance with non open security standards. This is a shame! Security standards should be open and freely accessible (e.g., under a CC-BY license) and include clear examples for implementation.

Tip

A good security standard is open (cc-by or equivalent) and has working examples for implementation.

Standards#

CycloneDX

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction

https://cyclonedx.org/

MONARC Objects Sharing Platform

objects.monarc.lu is the MOSP instance for creating and sharing JSON objects related to cybersecurity security, such as vulnerabilities, threats or cybersecurity standards.5112 items are currently available through 19 organizations.

https://objects.monarc.lu/

OmniBOR

OmniBOR defines two key concepts, Artifact IDs and Input Manifests, that enable anyone to independently produce the same identifier for any software artifact, and to detect any artifact built with vulnerable inputs. See also repo on omnibor

Open Common Requirement Enumeration

The Open Source project “OpenCRE “ links all security standards and guidelines together at the level of requirements into one harmonized resource: threats, weaknesses, what to verify, how to program, how to test, which tool settings, in-depth discussion, training material. Everything organized. See also OWASP/OpenCRE

WebAuthn

Public Key Cryptography and Web Authentication (WebAuthn)

https://webauthn.guide/