OWASP Cloud Security Project

The OWASP Cloud Security Project

We believe that cyber security has a fundamental role to play in protecting the digital future. We also believe that cyber security isn't just about the technology; it's about the people. The customer, the developer, the designer, the security engineer, even the attacker. Not only is cyber security a never-ending process, it's also a conversation.

This project was created to enable that conversation.

Given the challenge of protecting the digital future And a diverse group of awesomely talented people When we enable the conversation between people Then they can make a real difference to the security of their services

The rise of DevOps and cloud computing has given organisations unprecedented access to feature-rich and high-scalable elastic platforms that allow them to deliver products and services with a velocity and agility that has never been seen before.

But with new capabilities come new attack vectors. The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat and control BDD stories that pool together the expertise and experience of the development, operations and security communities.

Why BDD stories?

Behaviour Driven Development (BDD) adds a natural language layer on top of test-driven development by defining requirements in a machine parsable language that is also human readable. While adoption of BDD within development communities has been mixed (often because the developers end up having to duplicate effort as both producers and consumers of the BDD stories), BDD is actually an excellent fit for representing threats and control. For threats it provides a consistent and structured format for express threats and scenarios in a way that can be shared between all stakeholders, from engineers to management. For mitigating controls BDD is ideal because it expresses control requirements in a way that is also continuously testable. Rather than burying a control requirement in a policy document that nobody reads, it can be represented in a way that an auditor would be happy with at the same time as being implemented as automated detective or preventative tests.

By bringing together threat and control stories, provided by the community, the OWASP Cloud Security project helps organisations understand the risks they face on their journey into the cloud.

Threat modelling

Threat modelling addresses security issues at a fundamental, architectural level. Rather than trying to bolt on controls haphazardly, threat modelling results in more robust and secure systems by baking security into the design as well as identifying the gaps and weaknesses. Using threat stories allows the sharing of common threats in a way that can be tweaked and tuned by individual organisations. Improvements to the threats can then be fed back to the community for the benefit of everyone.

Description

The OWASP Cloud Security project started life as a BDD for Cloud Security session held at the awesome OWASP Summit 2017. In this session approximately ten people spent an hour discussing whether it made sense to use BDD a way of capturing cloud control requirements in a way that fostered collaboration between development, operations, and security. The question then became - where do the requirements come from? PCI/DSS or some other standard? After spending the rest of the summit in various threat modelling sessions, it became clear to the project leader that it would be good to threat model the cloud services and then to write BDD stories for the mitigating controls from those threat models.

This project provides the following for an ever-expanding list of cloud providers and services:

• Threats expressed as BDD (Gherkin) stories
• Mitigating controls expressed as BDD (Gherkin) stories
• Proof-of-concept attack scripts and tools

Licensing

The OWASP Cloud Security project resources are all completely free to use!

Documentation and related resources are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Code is licensed under the MIT license.

What is OWASP Cloud Security Project?

The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat and control BDD stories that pool together the expertise and experience of the development, operations, and security communities.

Please contribute!

Presentation

• DevSecCon London 2017

Project Leader

• Fraser Scott

Related Projects

• OWASP Threat Model Project
• OWASP Threat Dragon

Openhub

• OWASP Project Openhub

Source code and documentation

The home of the OWASP Cloud Security project is on is on GitHub. You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.

Please note that the project is still in its own organisation. This will be moved over to the OWASP organisation soon.

News and Events

The project has appeared in the follow posts:

• https://adam.shostack.org/blog/2017/12/threat-modeling-tooling-from-2017/
• https://automationpanda.com/2017/12/10/yaml-comments-in-gherkin-feature-files/

In Print

This project is not currently available to purchase as a book.

Classifications