Table 10.1.
Sources of cybersecurity information and guidance
| Source | Information provided |
|---|---|
| Web Application Security Consortium (WASC) | Best practice security standards, tools, resources, and information, e.g., Web application scanner evaluation criteria |
| Open Web Application Security Project (OWASP) | Tools, articles, other resources; development/testing/code review procedures, list of top risks |
| Department of Homeland Security (DHS) | Best practice tools, guidelines, rules, principles, other resources; Build Security In (BSI) initiative; provides CWE (below) as a service; SW assurance Common Body of Knowledge; comprehensive guidance on secure SW development at buildsecurityin.us-cert.gov |
| Institute of Electrical and Electronics Engineers (IEEE), Computer Society (CS), Center for Secure Design (CSD) | Recent initiative aimed at providing a variety of artifacts for secure system development, e.g., “How to Avoid the Top Ten Software Security Flaws” |
| ISO/IEC 27034 | Standard guidance on integrating security in processes for managing applications |
| System Administration, Networking, and Security Institute (SANS) | Education, certification, reference materials, conferences dealing with information security |
| Council on CyberSecurity | Established in 2013; publishes a list of prioritized Critical Security Controls (CSCs) that are widely used as a measure of cyber resilience (www.counciloncybersecurity.org) |
| National Institute of Standards and Technology (NIST) | Federal Government lead for cybersecurity, e.g., Risk Management Framework (RMF); multiple standards and best practice publications, including SP 800 series and Federal Information Processing Standards (FIPS) |
| National Security Agency (NSA) | Published the original “Rainbow Books” on computer and network security; operates the Center for Assured SW |
| SW Assurance Metrics and Tool Evaluation (SAMATE) | Provided by DHS and NIST |
| Common Attack Pattern Enumeration and Classification (CAPEC) | Sponsored by DHS and MITRE (http://capec.mitre.org/index.html); lists common attack patterns, comprehensive schema, and classification taxonomy; ~500 entries (so far) |
| National Vulnerability Database (NVD); NIST SP 800-53 | Federal Government repository of standards-based vulnerability management data; uses the Security Content Automation Protocol (SCAP) which includes the Extensible Configuration Checklist Description Format (XCCDF); supports automation of vulnerability management, security measurement, and compliance; includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics; supports the Information Security Automation Program (ISAP); provides a list of Common Vulnerabilities and Exposures (CVEs) and scores CVEs to quantify the risk of vulnerabilities, calculated from a set of equations based on metrics such as access complexity and availability of a remedy; includes a Computer Platform Enumeration (CPE) dictionary |