OpenCRE icon indicating copy to clipboard operation
OpenCRE copied to clipboard
verified publisher icon OWASP

Cre links for OWASP Cornucopia

Open sydseter opened this issue 10 months ago • 6 comments

Here are the connections between the existing CREs and OWASP Cornucopia: http://cornucopia.owasp.org/api/cre/webapp/en

@northdpole We discussed some time ago to import OWASP Cornucopia into OpenCre and connect the cards with the existing CREs in the api.

The above link shows how the various cards are connected.

Would be great if we could register OWASP Cornucopia in order to get a connection between threat modeling and security requirements right!

cc: @rewtd @cw-owasp

sydseter avatar Feb 28 '25 13:02 sydseter

Would love to import the Mobile App Edition too, but we need the MASTG tests and the MASVS requirements imported first for it to make sense.

sydseter avatar Feb 28 '25 13:02 sydseter

Hey @sydseter , that's awesome, I do believe that a mapping from cornucopia to cre makes sense as a link to further resources, in fact i wrote the first mapping from cornucopia to cre a while ago.

However, from a UX perspective I'm having trouble imagining a use case where someone wants to see an individual cornucopia card from CRE, that's why i haven't added cornucopia cards to the api yet, can you please help me come up with a scenario where a CRE user wants to see an individual card?

(i am very much in support of this project, just need to make the UX right :-) )

northdpole avatar Mar 02 '25 11:03 northdpole

So my end goal is to be able, both from threat dragon, and from copi.owasp.org to be able to combine the security requirement analysis process according to best SDLC practices and IOS 27002 8.26 Application Security Requirements (https://www.isms.online/iso-27002/control-8-26-application-security-requirements/) with the security design and threat modeling process which are recommended according to ISO 27002, 8.28: Secure Coding (https://hightable.io/iso-27002/control-8-28-secure-coding/) and to use OWASP OpenCRE as a way to maintain the links to the appropriate threats, standards and requirements.

Let's say e.g. that you are doing threat modeling through OWASP Cornucopia, you play a card that you find applicable and it scores during the game. You add the card to your OWASP Threat Dragon model through it’s UI, but then you wonder, what are the application security requirements and appropriate standards and Cheat sheets applicable to the threat I have identified? If all of this information was linked through OpenCRE then, by selecting the appropriate card from OWASP Threat Dragon you could also get up to date information about which ASVS requirements apply, how these relate e.g to NIST and which Cheat sheets you probably should look at in order to mitigate the threat.

sydseter avatar Mar 02 '25 17:03 sydseter

We could just maintain CRE links from http://cornucopia.owasp.org as well. What I wonder is. From OpenCRE, wouldn't there be a benefit from being able to combine threat modeling with the process of application security requirement analysis?

sydseter avatar Mar 02 '25 17:03 sydseter

Further in the future, wouldn't also combining these two processes make it possible to automate the resolution of these threats according to the applicable security requirements found during the threat modeling process or assist the developer in doing threat modeling and requierment analysis through conversations and reports with/from an AI?

sydseter avatar Mar 02 '25 17:03 sydseter

Also, what if you could use an AI as a facilitator or dungeon master to facilitate threat modeling sessions or the threat modeling game instead of an application security engineer or threat modeling expert?

sydseter avatar Mar 02 '25 20:03 sydseter