The future is simple - introducing the CRE


Authors:   Rob van der Veer, Spyros Gasteratos


Abstract:​This presentation marks the official go-live of the Common Requirement Enumeration initiative, as an interactive linking platform across standards and guidelines.Software is becoming more important for us every day, and at the same time software security is complex and not getting any easier. This is our calling as appsec professionals. To deal with this, we have built great tools and helpful standards and guidelines. But because there is no single silver bullet, we now face the big challenge to combine all these separate solutions into an integrated approach – to make it easier for the experts, but above all: to bring application security within reach of a larger group of people. This is essential because the shortage of application security superheroes is not expected to go away. Therefore, the key to a secure future is to make appsec more accessible. More simple.Unfortunately, making things simple is not easy. Within OWASP, an initiative to drive integration has started in 2020, with the Integration standards project. Its goal is to link and align key standards (OWASP and others), by providing a unified framework to attain more consistency, completeness, overview and clarity.One of the results has been the Appsec wafyinder: an interactive map of the key OWASP projects.Another, more substantial effort is the Common Requirement Enumeration(CRE): a semantic web that links standards at the level of topics, within OWASP and beyond (NIST, PCI-DSS, ISO/IEC, MITRE, CIS etc etc). The CRE ties all standards and guidelines together and allows people to jump from source to source to learn more on a specific subject. For example, the CRE links an ASVS check to the corresponding Testing guide section, with the right Cheat sheet, Pro-active control and Top 10 entry.This meta-mapping is self-maintaining, so when standards refer to other standards using the CRE: those links will automatically stay up to date. The important side-effects of this integration are increased consensus, more clarity and a mutual understanding of what application security is for developers, ops, testers, security teams, management, procurement and other stakeholders, across domains. No more silos. The future is simple.This presentation officially launches the CRE, discusses the extensive research that has been done on the landscape of appsec standards and describes how alignment is created through the unified CRE framework - positioning OWASP as a driver of community-based global consensus .​​​​​​​