logo
allArticlesConferencesPresentations

The future is simple - introducing the CRE

Conference:  OWASP 20th Anniversary Event

2021-09-24

Authors:   Rob van der Veer, Spyros Gasteratos

Abstract

Abstract:​This presentation marks the official go-live of the Common Requirement Enumeration initiative, as an interactive linking platform across standards and guidelines.Software is becoming more important for us every day, and at the same time software security is complex and not getting any easier. This is our calling as appsec professionals. To deal with this, we have built great tools and helpful standards and guidelines. But because there is no single silver bullet, we now face the big challenge to combine all these separate solutions into an integrated approach – to make it easier for the experts, but above all: to bring application security within reach of a larger group of people. This is essential because the shortage of application security superheroes is not expected to go away. Therefore, the key to a secure future is to make appsec more accessible. More simple.Unfortunately, making things simple is not easy. Within OWASP, an initiative to drive integration has started in 2020, with the Integration standards project. Its goal is to link and align key standards (OWASP and others), by providing a unified framework to attain more consistency, completeness, overview and clarity.One of the results has been the Appsec wafyinder: an interactive map of the key OWASP projects.Another, more substantial effort is the Common Requirement Enumeration(CRE): a semantic web that links standards at the level of topics, within OWASP and beyond (NIST, PCI-DSS, ISO/IEC, MITRE, CIS etc etc). The CRE ties all standards and guidelines together and allows people to jump from source to source to learn more on a specific subject. For example, the CRE links an ASVS check to the corresponding Testing guide section, with the right Cheat sheet, Pro-active control and Top 10 entry.This meta-mapping is self-maintaining, so when standards refer to other standards using the CRE: those links will automatically stay up to date. The important side-effects of this integration are increased consensus, more clarity and a mutual understanding of what application security is for developers, ops, testers, security teams, management, procurement and other stakeholders, across domains. No more silos. The future is simple.This presentation officially launches the CRE, discusses the extensive research that has been done on the landscape of appsec standards and describes how alignment is created through the unified CRE framework - positioning OWASP as a driver of community-based global consensus .​​​​​​​
Materials:
Tags:
Application Security
AppSec
software security
Security standards
Semantic web

Post a comment

Related work

Open Standards: Anchoring Extensibility for Cloud-Native Tooling

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Katie Gamanji

Shifting Knowledge Left: Keeping up with Modern Application Security

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Leveraging OWASP Projects and Tools in Your AppSec Program

Conference:  Global AppSec San Francisco 2022
Authors: John DiLeo
2022-11-17

Securing Diverse Supply Chains Across Interconnected Systems

Conference:  Cloud Native SecurityCon North America 2023
Authors: Wayne Starr, Aaron Creel

Key Lessons Learned from Building a Wealth Management Portal Using Cloud Native Architecture

Conference:  CloudOpen 2022
Authors: Ankur Kumar
2022-06-21

Engaging the Next Generation of Cybersecurity Professionals: The Power of Security Zines

Conference:  Black Hat Asia 2023
Authors: Rohit Sehgal
2023-05-12