|
| 1 | +--- |
| 2 | + |
| 3 | +title: OpenCRE and Integration Standards |
| 4 | +layout: col-document |
| 5 | +tags: OWASP Developer Guide |
| 6 | +contributors: Jon Gadsden |
| 7 | +document: OWASP Developer Guide |
| 8 | +order: 503 |
| 9 | +permalink: /draft/requirements/opencre_integration_standard/ |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +{% include breadcrumb.html %} |
| 14 | + |
| 15 | +[OpenCRE logo](../../../assets/images/logos/opencre.png "OWASP OpenCRE"){: height="180px" } |
| 16 | + |
| 17 | +### 3.3 OpenCRE |
| 18 | + |
| 19 | +The [Open Common Requirement Enumeration][opencre] (OpenCRE) is a catalog of security requirements: |
| 20 | +enumerating security topics and providing links to various standards, cheat sheets and guides. |
| 21 | + |
| 22 | +The OWASP [Integration Standards][intstand] project includes both the OpenCRE and Security |
| 23 | +and the Application Security Wayfinder, it is an OWASP documentation project with production status. |
| 24 | + |
| 25 | +#### What is the Integration Standards project? |
| 26 | + |
| 27 | +The [Integration Standards][intstand] project is at the centre of the OWASP project community; |
| 28 | +it provides guidance on how to navigate and use the many projects within OWASP. |
| 29 | +It does this in two ways, first is the [Application Security Wayfinder][intstand] which provides a visual map |
| 30 | +of the most important OWASP projects - as of August 2024 there are 345 [OWASP projects][projects] |
| 31 | +so this is a really useful visualization. |
| 32 | +The second is the Open Common Requirement Enumeration ([OpenCRE][opencre]) which provides a consolidated reference of |
| 33 | +standards, cheat sheets, tools and other enumerations (such as [CWE][cwe]). |
| 34 | + |
| 35 | +The Integration Standards project has also produced OWASP [Application Security Fragmentation][sdlc] |
| 36 | +write-up on OWASP and the secure Software Development LifeCycle (SDLC). |
| 37 | +This provides an overview of tools and techniques used for most SDLCs. |
| 38 | + |
| 39 | +#### What is OpenCRE? |
| 40 | + |
| 41 | +[OpenCRE][opencre] is a catalog, or enumeration, of various standards and reference material, including: |
| 42 | + |
| 43 | +* [CAPEC][capecocre] |
| 44 | +* [CWE][cweocre] |
| 45 | +* [NIST Special Publications][nist] [800-53][nist53] and [800-63][nist63] |
| 46 | +* OWASP [ASVS][asvs] |
| 47 | +* OWASP [Top10][top10ocre] |
| 48 | +* OWASP [Proactive Controls][proactiveocre] |
| 49 | +* OWASP [Cheat Sheets][csocre] |
| 50 | +* OWASP [WSTG][wstgocre] |
| 51 | +* [ZAP][zapocre] from [Crash Override][crash] |
| 52 | + |
| 53 | +The aim of this project is to 'Link all the things with OpenCRE' which will: |
| 54 | + |
| 55 | +* make it easier for engineers, security officers, testers and procurement to find relevant information |
| 56 | +* make it easier for standards makers to create and maintain references |
| 57 | + |
| 58 | +#### Why use OpenCRE? |
| 59 | + |
| 60 | +OpenCRE: 'Everything organized' |
| 61 | + |
| 62 | +[OpenCRE][opencre] is a powerful tool that can provide developers with links to many resources, and is easy to use. |
| 63 | +It provides a one-stop consolidated set of references on various security terms and domains, |
| 64 | +and crucially these are automatically kept up to date. |
| 65 | +The provides a handy security catalog that can be searched for various standards or security terms. |
| 66 | + |
| 67 | +As well as being useful for day to day security questions, |
| 68 | +the OpenCRE can also be used as the reference section in documentation; |
| 69 | +linking across to the OpenCRE rather than providing a list of references means the links are kept up to date automatically. |
| 70 | + |
| 71 | +#### How to use OpenCRE |
| 72 | + |
| 73 | +The [OpenCRE][opencre] catalog can be accessed in traditional ways such as using searches or linking across to it. |
| 74 | +For example OpenCRE references to the Common Weakness Enumeration can be accessed using the [search facility][cweocre] |
| 75 | +or by linking across directly to a [specific Open Common Requirement][cwe1002]. |
| 76 | + |
| 77 | +OpenCRE is also useful when providing references in documentation. |
| 78 | +OpenCRE can be used for these references instead of listing various references to a security concept or requirement. |
| 79 | +This will provide links to standards, cheat sheets, tools and other enumerations - |
| 80 | +along with other sources that have been added over time - and all kept up to date. |
| 81 | +So no more broken links or referring to out of date versions :) |
| 82 | + |
| 83 | +This is now the age of large language models, and OpenCRE has embraced this technology. |
| 84 | +Immediate answers to security questions or searches can be provided by [OpenCRE Chat][opencrechat]. |
| 85 | + |
| 86 | +For example, in answer to the question "_what use is the OWASP Developer Guide?_" |
| 87 | +OpenCRE Chat provides the agreeable answer: |
| 88 | + |
| 89 | +_"The OWASP Developer Guide provides a comprehensive overview of application security risks and how to mitigate them._ |
| 90 | +_It covers topics such as input validation, output encoding, secure coding practices, and secure design principles._ |
| 91 | +_The guide is a valuable resource for developers who want to create secure applications."_ |
| 92 | + |
| 93 | +#### References |
| 94 | + |
| 95 | +* OWASP [OpenCRE][opencre] |
| 96 | +* [Spotlight on OpenCRE][spotlight28] |
| 97 | +* OWASP [Application Security Fragmentation][sdlc] |
| 98 | +* OWASP [Integration Standards][intstand] project |
| 99 | +* [Understanding the Complete Chain of Application Security Using OpenCRE org][opencretalk] |
| 100 | + |
| 101 | +---- |
| 102 | + |
| 103 | +The OWASP Developer Guide is a community effort; if there is something that needs changing |
| 104 | +then [submit an issue][issue0503] or [edit on GitHub][edit0503]. |
| 105 | + |
| 106 | +[asvs]: https://owasp.org/www-project-application-security-verification-standard/ |
| 107 | +[capecocre]: https://opencre.org/search/CAPEC |
| 108 | +[crash]: https://crashoverride.com/ |
| 109 | +[csocre]: https://opencre.org/search/OWASP%20Cheat%20Sheets |
| 110 | +[cweocre]: https://opencre.org/search/CWE |
| 111 | +[cwe]: https://cwe.mitre.org/ |
| 112 | +[cwe1002]: https://www.opencre.org/node/standard/CWE/sectionid/1002 |
| 113 | +[edit0503]: https://github.com/OWASP/www-project-developer-guide/blob/main/draft/05-requirements/03-opencre.md |
| 114 | +[intstand]: https://owasp.org/www-project-integration-standards/ |
| 115 | +[issue0503]: https://github.com/OWASP/www-project-developer-guide/issues/new?labels=content&template=request.md&title=Update:%2005-requirements/03-opencre |
| 116 | +[nist]: https://csrc.nist.gov/ |
| 117 | +[nist53]: https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53 |
| 118 | +[nist63]: https://pages.nist.gov/800-63-3/ |
| 119 | +[opencre]: https://www.opencre.org/ |
| 120 | +[opencrechat]: https://www.opencre.org/chatbot |
| 121 | +[opencretalk]: https://www.youtube.com/watch?v=VPOkT9quve0 |
| 122 | +[proactiveocre]: https://www.opencre.org/search/Proactive%20Controls |
| 123 | +[projects]: https://owasp.org/projects/ |
| 124 | +[sdlc]: https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc/ |
| 125 | +[spotlight28]: https://www.youtube.com/watch?v=TwNroVARmB0&list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T |
| 126 | +[top10ocre]: https://www.opencre.org/search/OWASP%20Top%2010 |
| 127 | +[wstgocre]: https://opencre.org/search/WSTG |
| 128 | +[zapocre]: https://opencre.org/search/ZAP |
| 129 | + |
| 130 | +\newpage |
0 commit comments