Security Standards#
Applying Standards and Best Practices#
Using well-established security standards and best practices is one of the simplest ways to reduce security risks. However, challenges with security standards are:
Too Many and Inconsistent Standards: Some standards are not that good and do not make sense.
Some standards are not open and are proprietary. You must pay to receive such a document and figure out how to implement the standards.
Some standards decrease your security baseline. Not all standards published are good and should be used.
Most standards are too high level and leave room for interpretation at implementation level. This has cause security breaches in the past and will cause security breaches in the future.
Some government certifications require compliance with non open security standards. This is a shame! Security standards should be open and freely accessible (e.g., under a CC-BY license) and include clear examples for implementation.
Tip
A good security standard is open (cc-by or equivalent) and has working examples for implementation.
Beyond Standards: Best Practices or Bad Practices
While security professionals often use best practices, these can be subjective and vary by context. A more reliable approach is to avoid bad practices. The OWASP Top 10 list is a helpful resource that identifies common security vulnerabilities to avoid.
Standards#
CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction
MONARC Objects Sharing Platform
objects.monarc.lu is the MOSP instance for creating and sharing JSON objects related to cybersecurity security, such as vulnerabilities, threats or cybersecurity standards.5112 items are currently available through 19 organizations.
OmniBOR
OmniBOR defines two key concepts, Artifact IDs and Input Manifests, that enable anyone to independently produce the same identifier for any software artifact, and to detect any artifact built with vulnerable inputs. See also repo on omnibor
Open Common Requirement Enumeration
The Open Source project “OpenCRE “ links all security standards and guidelines together at the level of requirements into one harmonized resource: threats, weaknesses, what to verify, how to program, how to test, which tool settings, in-depth discussion, training material. Everything organized. See also OWASP/OpenCRE
WebAuthn
Public Key Cryptography and Web Authentication (WebAuthn)