Comments (5)
planetlevel
commented on August 15, 2024
1
Capturing details about what software actually does and how it works can be done with static, runtime, or both. Generally, I'd like to see the blueprint capture 1) the attack surface (entry points both public and internal), 2) security defenses like authn, authz, encryption, escaping, etc...3) dangerous functions (not vulnerabilities), like parsing XML, evaluating expressions, querying databases, starting processes, etc... 4) all connections inbound and outbound.
from specification.
dariush-griffin
commented on August 15, 2024
Can you further define some examples of blueprints? I'm interested in how they could be automated. My initial reaction is that the SBOM includes information in how it is deployed or perhaps lists that it follows certain protocols or has certain WAF rules which would negate a subset of vulnerabilities.
Or we could apply the reverse. When we detect certain vulnerabilities, suggest certain actions that could be recorded in the blueprint.
Is that in line with what you are thinking?
from specification.
stevespringett
commented on August 15, 2024
- Take a microservice which takes input via HTTPs, processes it, and persists it to a relational database.
- That same microservice uses a vulnerable version of log4j.
In this example, CycloneDX described the blueprint of what the application does (1) and what the application contains (2).
Upon analyzing the BOM, it was discovered that input validation was not being performed prior to processing or persisting the data. Therefore, a WAF is automatically deployed with specific rules to guard against malicious input designed to exploit log4j.
I think that's a simple example, but there are likely many more real-world examples we could come up with, some of which may involve changing the configuration of the application itself. But yes, I think we're thinking along the same lines. Runtime platforms that leverage instrumentation may be a good way to capture what the application does in an automated way. @planetlevel
from specification.
smagill
commented on August 15, 2024
Interesting idea. Sounds similar to the goals of the DARPA E-BOSS program. Maybe there will be some opportunity for collaboration there.
from specification.
planetlevel
commented on August 15, 2024
E-BOSS sounds like RASP to me. Great idea and everyone should use it. But I think of this effort as capturing an app/API security architecture for use in activities like threat modeling, pentesting, risk rating, and incident response. Basically everything in appsec is easier and faster with a detailed blueprint.—JeffOn May 14, 2024, at 5:04 PM, Stephen Magill ***@***.***> wrote:
Interesting idea. Sounds similar to the goals of the DARPA E-BOSS program. Maybe there will be some opportunity for collaboration there.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
from specification.
Related Issues (20)
- Support for evidence.licenses.confidence, methods HOT 3
- Support for specifying how a vulnerability was matched against a component
- All required properties should have `"minLength": 1` HOT 1
- Add threat model capabilities to CycloneDX / TM-BOM HOT 5
- Misalignment in Protobuf Specification with Updated XML and JSON Schemas for LicenseChoice HOT 6
- Change component type so that it's not required or add a new type of unassigned HOT 2
- character encoding in JSON BOMs HOT 2
- Request: Add component release/publish date to CycloneDX HOT 3
- specVersion has no restrictions on value HOT 3
- Resolve ambiguous definition of `serialNumber` HOT 5
- [FEATURE]: EPSS Score on Vulnerability model HOT 3
- [FEATURE]: Validity period for attestations
- [FEATURE]: Adding Streebog hashing algorithm
- [FEATURE]: bom-ref rename to bomRef
- [FEATURE]: Introduction of vulnerability type HOT 2
- Grammar and style check
- [Defect]: Inconsistency in the CycloneDX v1.6 - `cryptoRefArray` HOT 3
- [Defect]: Resolve Ambiguity in Component:Version element description
- Add Steward to the CycloneDX specficiation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from specification.