OpenCRE.org - The How and The Why of Security Best Practices

Written by Rob van der Veer, Software Improvement Group; Spyros Gasteratos, OWASP; and Lefteris Skoutaris, CSA.

In cybersecurity it is important to understand all aspects of best practices and controls: what risks and threats are they solving, what regulations and standards are prescribing them, how to apply them, and how to test for them. Currently, this information is scattered across many different standards and publications in a complex and ever-changing security, legal, and regulatory landscape. That makes it hard for professionals to find the right information and for standard makers to refer to the right resources.

What is OpenCRE?

In order to unify standards and guidelines and thus enable access to the right information, the OWASP Integration standards project developed an open source platform https://www.opencre.org. OpenCRE stands for ‘Open Common Requirement Enumeration,’ as the platform interactively links resources together using ‘common requirements,’ connecting threats, weaknesses, standards, code samples, and test instructions.

OpenCRE.org provides an integrated overview of cybersecurity topics with these cross-links across multiple standards, including ISO/IEC 27001, the Open Worldwide Application Security Project (OWASP) Top 10, Application Security Verification Standard (ASVS), OWASP Proactive Controls, OWASP Testing Guide, OWASP Cheat Sheets, Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, NIST SP 800-63b, SSDF, and more. The goal is to achieve end-to-end visibility of security.

Linking CCM v4 to OpenCRE

Today we are happy to announce that OpenCRE is collaborating with the Cloud Security Alliance to bring the mapping flexibility of openCRE.org into the Cloud Controls Matrix (CCM)! Now all CCM users can easily and efficiently find mapping information between CCM and any other standard supported by the OpenCRE project.

In practical terms, let’s say your task is to implement a cloud security control from CSA about Log protection (LOG-09). In OpenCRE, that control is linked to the common requirement of “Log integrity.” This takes you to all the contained requirements, including log access protection, log injection prevention, and log time synchronization. And for each of those things you need to take care of, you can see what NIST wrote about it, what the related CAPEC threat is, the weakness from MITRE, the implementation guides with code samples from OWASP, the testing guides, and even the configuration for testing tools. Everything at your fingertips.

Using this information, you can easily and efficiently disseminate the correct kind of advice for each level of the standard compliance chain for a development team (e.g. implementation advice), and related compliance standards for the Chief Information Security Officer.

Creating Clarity

With OpenCRE, standards need to connect their topics only to the corresponding common requirement, and no one has to be bothered with creating references to all other resources and keeping them up to date all the time. OpenCRE stays up to date because the community has a stake in it and can use the open source mechanisms to update the mapping. Even better: OpenCRE has a mechanism that scans standards for links to OpenCRE that, by definition, define the mapping. So if a standard contains references to the CRE, that standard becomes part of OpenCRE so people can find it, and it will stay up to date automatically.

By connecting so many resources, the amount of information becomes overwhelming, and that’s where OpenCRE really shines; because it’s a platform, users can specify what types of resources they are interested in. The user can be a tester or a java developer, and specifying that will automatically filter all information referred through OpenCRE.

Moreover, users of OpenCRE have access to a chatbot which can answer cybersecurity questions powered by the contents of OpenCRE, now with access to CCM!

As such, the collaboration between OpenCRE and the Cloud Security Alliance is another great step in tying resources together so professionals can easily find their way.