This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Cloud Security Project"
From OWASP
Fraserscott (talk | contribs) (Adding Paul Cutting as a contributor) |
Fraserscott (talk | contribs) (Clean up based on threat stories) |
||
Line 8: | Line 8: | ||
==The OWASP Cloud Security Project== | ==The OWASP Cloud Security Project== | ||
+ | |||
+ | We believe that cyber security has a fundamental role to play in protecting the digital future. We also believe that cyber security isn't just about the technology; it's about the people. The customer, the developer, the designer, the security engineer, even the attacker. Not only is cyber security a never-ending process, it's also a conversation. | ||
+ | |||
+ | This project was created to enable that conversation. | ||
+ | |||
+ | <blockquote> | ||
+ | Given the challenge of protecting the digital future | ||
+ | And a diverse group of awesomely talented people | ||
+ | When we enable the conversation between people | ||
+ | Then they can make a real difference to the security of their services | ||
+ | </blockquote> | ||
The rise of DevOps and cloud computing has given organisations unprecedented access to feature-rich and high-scalable elastic platforms that allow them to deliver products and services with a velocity and agility that has never been seen before. | The rise of DevOps and cloud computing has given organisations unprecedented access to feature-rich and high-scalable elastic platforms that allow them to deliver products and services with a velocity and agility that has never been seen before. | ||
− | But with new capabilities come new attack vectors. The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat | + | But with new capabilities come new attack vectors. The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat and control BDD stories that pool together the expertise and experience of the development, operations and security communities. |
− | ===Why | + | ===Why BDD stories?=== |
− | + | Behaviour Driven Development (BDD) adds a natural language layer on top of test-driven development by defining requirements in a machine parsable language that is also human readable. While adoption of BDD within development communities has been mixed (often because the developers end up having to duplicate effort as both producers and consumers of the BDD stories), BDD is actually an excellent fit for representing threats and control. For threats it provides a consistent and structured format for express threats and scenarios in a way that can be shared between all stakeholders, from engineers to management. For mitigating controls BDD is ideal because it expresses control requirements in a way that is also continuously testable. Rather than burying a control requirement in a policy document that nobody reads, it can be represented in a way that an auditor would be happy with at the same time as being implemented as automated detective or preventative tests. | |
− | + | By bringing together threat and control stories, provided by the community, the OWASP Cloud Security project helps organisations understand the risks they face on their journey into the cloud. | |
− | + | ===Threat modelling=== | |
− | + | Threat modelling addresses security issues at a fundamental, architectural level. Rather than trying to bolt on controls haphazardly, threat modelling results in more robust and secure systems by baking security into the design as well as identifying the gaps and weaknesses. Using threat stories allows the sharing of common threats in a way that can be tweaked and tuned by individual organisations. Improvements to the threats can then be fed back to the community for the benefit of everyone. | |
==Description== | ==Description== | ||
Line 29: | Line 40: | ||
This project provides the following for an ever-expanding list of cloud providers and services: | This project provides the following for an ever-expanding list of cloud providers and services: | ||
− | * Threats | + | * Threats expressed as BDD (Gherkin) stories |
− | + | * Mitigating controls expressed as BDD (Gherkin) stories | |
− | * Mitigating controls as BDD stories | ||
* Proof-of-concept attack scripts and tools | * Proof-of-concept attack scripts and tools | ||