Build the requirement list on the card using OpenCRE for easier maintenance and collaboration. · Issue #595 · OWASP/cornucopia (original) (raw)
Given that OpenCRE has a full list of all applicable requirements connected to the OWASP Cornucopia cards we could build our requirement list from the CRE id's in OpenCRE, but probably more interesting would be to be able to relate applicable Cheat sheets and attacks and use these links defined in OpenCRE to build the card pages on https://cornucopia.owasp.org
As an example take https://opencre.org/cre/688-081 (CRE 688-081)
The link is directly connected to ASVS 3.4.1, NIST 800-63 : 7.1.1 and the OWASP Cheat Sheets : Session Management Cheat Sheet, amongst others. These could be used to build the individual card pages like SM4:
to give additional guidelines and advice on appsec requirements and activities needed in order to mitigate the applicable threat.
In addition, from threat dragon, and from copi.owasp.org it would make us able to combine the security requirement analysis process according to best SDLC practices and IOS 27002 8.26 Application Security Requirements (https://www.isms.online/iso-27002/control-8-26-application-security-requirements/) with the security design and threat modeling process which are recommended according to ISO 27002, 8.28: Secure Coding (https://hightable.io/iso-27002/control-8-28-secure-coding/) and use OWASP OpenCRE as a way to maintain the links to the appropriate threats, standards and requirements.
Let's say e.g. that you are doing threat modeling through OWASP Cornucopia, you play a card that you find applicable and it scores during the game. You add the card to your OWASP Threat Dragon model through it’s UI, but then you wonder, what are the application security requirements and appropriate standards and Cheetsheets applicable to the threat I have identified? If all of this information was linked through OpenCRE then, by selecting the appropriate card from OWASP Threat Dragon you could also get up to date information about which ASVS requirements apply, how these relate e.g to NIST and which Cheat sheets you probably should look at in order to mitigate the threat.
see:
and