├── README.md ├── capability-areas ├── operational-visibility │ └── page.md ├── quality-control │ └── page.md ├── risk-management │ └── page.md ├── secure-build-and-deployment │ └── page.md ├── secure-product-implementation │ └── page.md └── secure-product-management │ └── page.md ├── concepts ├── accountability-and-responsibility │ └── page.md ├── capabilities-drive-secure-products │ └── page.md ├── security-quality │ └── page.md ├── security-requirements-not-security-opinions │ └── page.md └── understanding-information-opportunity │ └── page.md ├── contributing └── how-to-contribute │ └── page.md ├── data └── capabilities.json ├── intro ├── acknowledgements │ └── page.md ├── adopting-this-framework │ └── page.md ├── how-this-framework-helps │ └── page.md ├── licensing │ └── page.md └── what-is-a-framework │ └── page.md └── license.txt /README.md: -------------------------------------------------------------------------------- 1 | [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8385/badge)](https://www.bestpractices.dev/projects/8385) 2 | 3 | # OWASP Product Security Capability Framework (PSCF) 4 | 5 | https://prods.ec/ 6 | 7 | The OWASP Product Security Capability Framework (PSCF) is a comprehensive guide designed to frame and enhance the security of software products. By leveraging a structured approach to identify, implement, and manage security capabilities, the PSCF aims to improve product security and ensure compliance with regulatory and industry standards. 8 | 9 | ## Introduction 10 | 11 | Security is a critical aspect of software product quality. The OWASP PSCF provides a meta-analysis across various regulatory frameworks and industry standards to outline best practices in product security. This framework is intended for organizations looking to elevate their security posture through a systematic and evidence-based approach. 12 | 13 | ## Framework Core Concepts 14 | 15 | - **Security Requirements, Not Security Opinions**: The PSCF is built on the foundation of security requirements derived from a thorough analysis of regulatory frameworks and industry standards, avoiding subjective opinions. 16 | - **Capabilities Drive Secure Product**: By focusing on fundamental security capabilities, the PSCF ensures that product delivery meets the highest security standards. 17 | - **Understanding, Information, & Opportunity**: Emphasizes the importance of knowledge and awareness in implementing security measures effectively. 18 | - **Accountability & Responsibility**: Assigns clear accountability and responsibilities within the organization to maintain a high level of security. 19 | 20 | ## Framework Capability Areas 21 | 22 | 1. **Risk Management**: Identifies, assesses, and mitigates risks to enhance product security and support business objectives. 23 | 2. **Secure Product Management**: Ensures that product management practices incorporate security considerations from the outset. 24 | 3. **Secure Product Implementation**: Guides the implementation phase to integrate security measures seamlessly. 25 | 4. **Secure Build & Deployment**: Focuses on secure methodologies for building and deploying software products. 26 | 5. **Quality Control**: Establishes quality control measures to maintain security standards throughout the product lifecycle. 27 | 6. **Operational Visibility**: Enhances visibility into operations to detect and respond to security threats promptly. 28 | 29 | ## Adopting the Framework 30 | 31 | Implementing the PSCF in your organization involves: 32 | 33 | 1. **Understanding Your Compliance Obligations**: Identify both external and internal compliance obligations relevant to your organization. 34 | 2. **Evaluating Your Security Capabilities**: Assess your current security capabilities against the PSCF to identify areas for improvement. 35 | 3. **Continuous Capability Improvement**: Implement a process for ongoing evaluation and enhancement of security capabilities. 36 | 37 | ## Contributing 38 | 39 | We welcome contributions from the community to further enhance the PSCF. Whether you have suggestions for improvement, new capabilities to add, or want to share your implementation experiences, your input is valuable to us. 40 | 41 | ## Licensing 42 | 43 | The OWASP Product Security Capability Framework is open source and free to use. It is licensed under the [Creative Commons Attribution-ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). 44 | 45 | ## Acknowledgements 46 | 47 | We extend our gratitude to the numerous contributors and the security community for their invaluable input and feedback in developing this framework. Together, we strive to make software products more secure, protecting organizations and their customers from security threats. For detailed information and involvement, visit [our website](https://prods.ec/). 48 | -------------------------------------------------------------------------------- /capability-areas/operational-visibility/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Operational Visibility 3 | nextjs: 4 | metadata: 5 | title: Operational Visibility 6 | description: A description of the Operational Visibility capability area. 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/_WHDUzfZrmc?si=8FnifIfNWCEZeeDI" /%} 10 | 11 | ## Area Overview 12 | 13 | Operational Visibility in product development is an essential facet that focuses on gaining a clear and comprehensive view of the product's performance and behavior in real-time operational settings. It's about having a transparent, eagle-eyed view over the entire operational spectrum of the product, ensuring that every pulse and signal is monitored, analyzed, and understood. This practice enables organizations to anticipate issues, fine-tune performance, and ensure that the product not only functions as intended but also adapts and evolves in alignment with user needs and environmental dynamics. 14 | 15 | These capabilities are crucial for maintaining a proactive stance in product management, allowing teams to swiftly identify and address potential issues, optimize performance, and enhance user experience. Operational Visibility is the watchtower that ensures smooth sailing of the product, alerting the crew at the slightest sign of turbulence or anomaly. 16 | 17 | ### Benefits 18 | 19 | * **Proactive Issue Identification and Resolution:** Continuous monitoring and analysis enable early detection of potential issues, allowing for swift resolution before they escalate. 20 | * **Informed Decision-Making:** Real-time data and insights about the product's performance guide strategic decisions, ensuring that they are data-driven and aligned with actual operational realities. 21 | * **Enhanced User Experience:** Understanding real-world product usage and behavior facilitates targeted improvements and optimizations, leading to a better and more satisfying user experience. 22 | * **Operational Efficiency:** Insights gained from operational visibility can streamline processes, reduce downtime, and optimize resource utilization, contributing to overall operational efficiency and effectiveness. 23 | 24 | ## Environment Management [PSCF‑OV‑EM] 25 | 26 | _The capability to apply secure system configurations and evaluate any that change_ 27 | 28 | {% video src="https://www.youtube.com/embed/cG4nQLV-tas?si=HE9i0QO8WZeH_Blj" /%} 29 | 30 | ### Capability Overview 31 | 32 | Environment Management is a critical aspect of product security, focusing on the secure configuration of software products and their components. In today's digital world, where cybersecurity threats are omnipresent, having robust environment management practices is not just beneficial but essential. It ensures that products are not only functionally effective but also secure from various cyber threats. This capability is particularly important because default configurations often prioritize ease of use over security, leaving systems vulnerable to attacks. 33 | 34 | Environment Management involves understanding and modifying the default configurations of a product's libraries and components to enhance security. The challenge lies in maintaining these secure configurations amidst frequent product changes and potential attacks aimed at weakening system configurations. Effective environment management requires continuous monitoring for any configuration changes, known as "configuration drift," and evaluating their impact on product security. It's about striking a balance between usability and security, ensuring that products are not only easy to use but also resilient against cyber threats. 35 | 36 | ### Compliance Requirement 37 | 38 | {% compliance capability_id="PSCF-OV-EM" / %} 39 | 40 | ### Accountability 41 | 42 | {% accountability capability_id="PSCF-OV-EM" / %} 43 | 44 | ### Responsibility 45 | 46 | {% responsibility capability_id="PSCF-OV-EM" / %} 47 | 48 | ## Incident Detection [PSCF‑OV‑ID] 49 | 50 | _The capability to analyse product events and evaluate them for those that indicate a security incident_ 51 | 52 | {% video src="https://www.youtube.com/embed/XrGPMdrsnJM?si=1Xz_-L3h8PiohER5" /%} 53 | 54 | ### Capability Overview 55 | 56 | Incident Detection is a key component in maintaining the security of software products. In an environment where cyber threats are constantly evolving, the ability to quickly detect security incidents can mean the difference between a minor disruption and a major breach. The challenge lies in the extended periods during which breaches can remain undetected, allowing attackers to cause significant damage. 57 | 58 | Focusing on enhancing visibility into product behavior to identify any security anomalies swiftly. This capability requires a deep understanding of normal system behavior to detect deviations effectively. It involves ensuring the quality of product logs, setting up automated monitoring and alerting systems, and regularly reviewing logs to identify patterns of abnormal activity. Effective incident detection reduces the time attackers remain in the system and limits the extent of damage. 59 | 60 | ### Compliance Requirement 61 | 62 | {% compliance capability_id="PSCF-OV-ID" / %} 63 | 64 | ### Accountability 65 | 66 | {% accountability capability_id="PSCF-OV-ID" / %} 67 | 68 | ### Responsibility 69 | 70 | {% responsibility capability_id="PSCF-OV-ID" / %} 71 | 72 | ## Incident Response [PSCF‑OV‑IR] 73 | 74 | _The capability to apply appropriate responses to identified security incidents_ 75 | 76 | {% video src="https://www.youtube.com/embed/x3lte4VYxh4?si=LLkB--U6zdv9uJO3" /%} 77 | 78 | ### Capability Overview 79 | 80 | Incident Response is crucial in the landscape of cybersecurity. It's not just about responding to incidents but doing so in a manner that is swift, effective, and minimizes damage. A robust incident response capability is essential for any organization to maintain trust with customers and ensure the continuity of operations. 81 | 82 | This capability encompasses identifying incidents, containing and eradicating threats, and then recovering from the incident. The goal is to handle incidents in a way that reduces their impact and learns from them to prevent future occurrences. It's about being prepared, responsive, and adaptive in the face of security threats. 83 | 84 | ### Compliance Requirement 85 | 86 | {% compliance capability_id="PSCF-OV-IR" / %} 87 | 88 | ### Accountability 89 | 90 | {% accountability capability_id="PSCF-OV-IR" / %} 91 | 92 | ### Responsibility 93 | 94 | {% responsibility capability_id="PSCF-OV-IR" / %} 95 | -------------------------------------------------------------------------------- /capability-areas/quality-control/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Quality Control 3 | nextjs: 4 | metadata: 5 | title: Quality Control 6 | description: A description of the Quality Control capability area 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/-itBg7_1qiQ?si=krCXinDEZCcwvPk8" /%} 10 | 11 | ## Area Overview 12 | 13 | Quality Control in the realm of product development is a critical discipline focused on maintaining and enhancing the integrity, reliability, and performance of the product. It's not just about finding defects or issues; it's about ensuring that the product meets the highest standards of quality from every angle. This crucial phase acts as a gatekeeper, rigorously testing and scrutinizing every component of the product to ensure that it not only meets the predefined standards and expectations but also surpasses them. 14 | 15 | These capabilities are pivotal in identifying any discrepancies, weaknesses, or potential improvements in the product before it reaches the end-user. By implementing a robust Quality Control process, organizations can avoid costly recalls, maintain customer trust, and uphold their reputation in the market. It's a proactive commitment to excellence, ensuring that the final product is not just good but exceptional. 16 | 17 | ### Benefits 18 | 19 | * **Enhanced Product Performance and Reliability:** Regular and thorough quality checks ensure that every aspect of the product is functioning optimally, enhancing overall performance and reliability. 20 | * **Customer Satisfaction and Loyalty:** Delivering products that consistently meet or exceed customer expectations fosters trust and loyalty, reinforcing the brand's reputation for quality. 21 | * **Reduction in Post-Release Issues:** Identifying and rectifying issues during the Quality Control phase significantly reduces the incidence of bugs and issues post-release, minimizing the need for patches and updates. 22 | * **Cost Efficiency:** Early detection and correction of defects or quality issues prevent costly fixes post-deployment and reduce the risk of warranty claims and returns. 23 | 24 | ## Component Security Testing [PSCF‑QC‑CST] 25 | 26 | _The capability to analyse products for security issues in source code and included libraries_ 27 | 28 | {% video src="https://www.youtube.com/embed/hRUVooGHZ3A?si=YBe7WJoSguf3V2o4" /%} 29 | 30 | ### Capability Overview 31 | 32 | Component Security Testing is vital in ensuring that the individual components within a software system are secure. In the modern development ecosystem, where applications are often built by assembling various components like libraries, frameworks, and modules, the security of each component is crucial. Vulnerabilities in any single component can compromise the entire system, making it essential to thoroughly test each one for security issues. 33 | 34 | ### Compliance Requirement 35 | 36 | {% compliance capability_id="PSCF-QC-CST" / %} 37 | 38 | ### Accountability 39 | 40 | {% accountability capability_id="PSCF-QC-CST" / %} 41 | 42 | ### Responsibility 43 | 44 | {% responsibility capability_id="PSCF-QC-CST" / %} 45 | 46 | ## Exploratory Security Testing [PSCF‑QC‑EST] 47 | 48 | _The capability to analyse products for security issues in running systems_ 49 | 50 | {% video src="https://www.youtube.com/embed/4g0gQE-yjWk?si=QenWsdN5XBUD6W6R" /%} 51 | 52 | ### Capability Overview 53 | 54 | Exploratory Security Testing is an approach that combines security testing with explorative, often manual, techniques. This type of testing is crucial because it allows testers to uncover vulnerabilities that automated tools might miss, providing a more comprehensive understanding of a system's security posture. 55 | 56 | Often known as Penetration testing, testers actively engage with the software, trying out different scenarios, and using their expertise and creativity to identify potential security issues. This method is particularly effective in finding complex security vulnerabilities that require a human touch, such as business logic errors or sophisticated attack vectors. 57 | 58 | ### Compliance Requirement 59 | 60 | {% compliance capability_id="PSCF-QC-EST" / %} 61 | 62 | ### Accountability 63 | 64 | {% accountability capability_id="PSCF-QC-EST" / %} 65 | 66 | ### Responsibility 67 | 68 | {% responsibility capability_id="PSCF-QC-EST" / %} 69 | 70 | ## Security Defect Management [PSCF‑QC‑SDM] 71 | 72 | _The capability to evaluate findings from security checks through to resolution_ 73 | 74 | {% video src="https://www.youtube.com/embed/32JSv4TEwMs?si=OjX51BmPDQ6895yg" /%} 75 | 76 | ### Capability Overview 77 | 78 | Security Defect Management is a critical process in the software development lifecycle. It involves the identification, prioritization, and remediation of security-related defects in software products. Effective management of security defects is essential to mitigate risks and maintain the integrity of the software. 79 | 80 | It is more than just fixing bugs; it's about understanding the impact of those bugs on the overall security of the product and ensuring they are addressed appropriately. This process involves triaging reported security issues, prioritizing them based on severity and impact, and systematically resolving them. 81 | 82 | ### Compliance Requirement 83 | 84 | {% compliance capability_id="PSCF-QC-SDM" / %} 85 | 86 | ### Accountability 87 | 88 | {% accountability capability_id="PSCF-QC-SDM" / %} 89 | 90 | ### Responsibility 91 | 92 | {% responsibility capability_id="PSCF-QC-SDM" / %} 93 | -------------------------------------------------------------------------------- /capability-areas/risk-management/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Risk Management 3 | nextjs: 4 | metadata: 5 | title: Risk Management 6 | description: A description of the Risk Management capability area. 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/T6dloXMKrwc?si=lE4BMMcbmTZb1zbY" /%} 10 | 11 | ## Area Overview 12 | 13 | Risk management is a dynamic and integral part of product development and management. It’s not a one-time activity but a continuous process that evolves with the product and the surrounding threat landscape. By effectively managing risks, organizations can not only protect their products but also support their overall business objectives and maintain customer trust. 14 | 15 | These capabilities ensure you can identify, assess, and mitigate risks associated with product security. A Risk Management approach is crucial in today's landscape where products, especially digital or software-based ones, face a myriad of security threats that can impact not only the product's functionality and integrity but also the organization's reputation and customer trust. 16 | 17 | ### Benefits 18 | 19 | * **Enhanced Product Security:** By systematically managing risks, the security of the product is significantly enhanced. 20 | * **Informed Decision Making:** It provides stakeholders with crucial information, aiding in making informed decisions about product development and security investment. 21 | * **Regulatory Compliance:** Helps in meeting legal and regulatory requirements, reducing the risk of penalties or legal issues. 22 | * **Customer Trust and Brand Protection:** A secure product fosters customer trust and protects the brand's reputation. 23 | 24 | 25 | ## Organisational Operating Model [PSCF‑RM‑OOM] 26 | 27 | _The capability to evaluate and apply fair and scalable accountabilities and reponsibilities for capabilities across the delivery organisation._ 28 | 29 | ### Capability Overview 30 | 31 | Enable the definition and refinement of the internal structure of a product delivery organization introduces the vital capability of Organizational Operating Model (OOM). This capability plays a pivotal role in facilitating well-defined structures, streamlined processes, and collaborative ways of working, all aimed at crystallizing the accountabilities and responsibilities within the organization. 32 | 33 | At the heart of OOM lies the articulation of roles and responsibilities, ensuring every team member understands their contribution to the organization's success. This clarity is not just about internal coherence; it extends to delineating a transparent and accountable framework that resonates with external regulatory expectations. A key aspect of OOM is ensuring that the model is not just robust but also adaptable, capable of scaling and evolving in harmony with the organization's growth and the dynamic regulatory landscape. 34 | 35 | Involvement of leadership and stakeholders is crucial in OOM. These key players must possess a deep understanding of the organization's goals, the intricacies of product delivery, and the regulatory requirements that shape the industry landscape. They are instrumental in addressing 'what if' scenarios that might challenge the existing operational model, ensuring the organization remains resilient and responsive to change. 36 | 37 | Choosing the right structure and processes to focus on within the OOM is essential. While it might be tempting to cover every conceivable aspect, the priority should be on those areas that significantly influence accountability, transparency, and compliance, ensuring a robust, compliant, and efficient operating model. 38 | 39 | ### Compliance Requirement 40 | 41 | {% compliance capability_id="PSCF-RM-OOM" / %} 42 | 43 | ### Accountability 44 | 45 | {% accountability capability_id="PSCF-RM-OOM" / %} 46 | 47 | ### Responsibility 48 | 49 | {% responsibility capability_id="PSCF-RM-OOM" / %} 50 | 51 | ## Continuous Capability Improvement [PSCF‑RM‑CI] 52 | 53 | _The capability to evaluate capabilities in this framework that require improvement and apply improvements over time._ 54 | 55 | {% video src="https://www.youtube.com/embed/qkSBlcDT1nU?si=3BuPSubIuFUcKhD7" /%} 56 | 57 | ### Capability Overview 58 | 59 | Your capacity for Continuous Capability Improvement reflects the ability of your organisation to systematically evaluate and enhance the security aspects of product delivery. This capability is essential for keeping pace with the ever-evolving landscape of technological advancements and changing work practices. 60 | 61 | As the world and technology evolve, so must our security practices to prevent the emergence of new vulnerabilities. This involves not only adapting to new technologies and methodologies but also proactively anticipating future changes and challenges. The importance of continuous improvement in security measures is a vital aspect of product development and management, ensuring that what is secure today remains secure tomorrow. This capability, like all others in the realm of product security, requires ongoing development and refinement to effectively protect against emerging threats and to align with the latest technological innovations. 62 | 63 | ### Compliance Requirement 64 | 65 | {% compliance capability_id="PSCF-RM-CCI" / %} 66 | 67 | ### Accountability 68 | 69 | {% accountability capability_id="PSCF-RM-CCI" / %} 70 | 71 | #### Responsibility 72 | 73 | {% responsibility capability_id="PSCF-RM-CCI" / %} 74 | 75 | ## Third-Party Components [PSCF‑RM‑TPC] 76 | 77 | _The capability to evaluate and select third-party component suppliers._ 78 | 79 | {% video src="https://www.youtube.com/embed/ZruVUg7LQCc?si=owaD-PuvB3t_mKMP" /%} 80 | 81 | ### Capability Overview 82 | 83 | Recognizing that it is impractical to build every component in-house, this capability involves making informed decisions about utilizing third-party solutions, such as databases, cloud-based services, secrets storage, etc. 84 | 85 | The core challenge here is to determine which third-party components are secure and suitable for use. This decision-making process might involve creating and maintaining an approved list of components that meet security standards (the 'allow' list) or a list of prohibited components (the 'deny' list). 86 | 87 | Understanding the importance of having a robust process to assess and authorize third-party components ensures that your product's security is not compromised. Consider how you managing these lists, including how to handle exceptions and ensure that all necessary components are evaluated for security before use. 88 | 89 | ### Compliance Requirement 90 | 91 | {% compliance capability_id="PSCF-RM-TPC" / %} 92 | 93 | ### Accountability 94 | 95 | {% accountability capability_id="PSCF-RM-TPC" / %} 96 | 97 | ### Responsibility 98 | 99 | {% responsibility capability_id="PSCF-RM-TPC" / %} 100 | 101 | ## Third-Party Software Development Services [PSCF‑RM‑TPD] 102 | 103 | _The capability to evaluate and select secure third-party development services suppliers._ 104 | 105 | {% video src="https://www.youtube.com/embed/SGhh-tIMWSA?si=vrcwm8T0RsJ5G68n" /%} 106 | 107 | ### Capability Overview 108 | 109 | This capability is vital when outsourcing software creation, as it involves ensuring that these external parties not only meet but ideally exceed your organization's standards for quality and security. 110 | 111 | A crucial aspect of this process is establishing clear communication and collaboration methods with the third-party developers, especially considering the sensitivity and confidentiality of the projects, which often include intellectual property and new product development. 112 | 113 | It is important to clearly define ownership and usage rights in contractual agreements and maintain a balance between confidentiality, availability, and integrity. This ensures that the third-party services are fully aligned with your organizational goals and deliver the desired outcomes promptly, maintaining a competitive edge in the market. 114 | 115 | ### Compliance Requirement 116 | 117 | {% compliance capability_id="PSCF-RM-TPD" / %} 118 | 119 | ### Accountability 120 | 121 | {% accountability capability_id="PSCF-RM-TPD" / %} 122 | 123 | ### Responsibility 124 | 125 | {% responsibility capability_id="PSCF-RM-TPD" / %} 126 | 127 | ## Third-Party Software-as-a-Service [PSCF‑RM‑TPS] 128 | 129 | _The capability to evaluate and select secure SaaS offerings from third parties._ 130 | 131 | {% video src="https://www.youtube.com/embed/C_NloUjEa9I?si=170U1b0Edf21xzTj" /%} 132 | 133 | ### Capability Overview 134 | 135 | Choosing Software as a Service (SaaS) providers is more complex than selecting general third-party components due to the critical nature of the services provided and the intricacies of contractual agreements. This capability is essential for integrating business-critical systems like Identity Providers (IdPs), online log management services, or Content Delivery Networks (CDNs) into an organization's operations. These services, often crucial for automation or computational tasks, are not typically core to a business but are fundamental to its smooth functioning. 136 | 137 | The selection process requires careful consideration because these SaaS offerings will handle sensitive data and play a significant role in the overall security of the product. When choosing SaaS providers, ensure they align with your organization's security needs and business goals. It is important to understand the various offerings in the market and make informed decisions based on the security, reliability, and compatibility of these services with the business's requirements. 138 | 139 | ### Compliance Requirement 140 | 141 | {% compliance capability_id="PSCF-RM-TPS" / %} 142 | 143 | ### Accountability 144 | 145 | {% accountability capability_id="PSCF-RM-TPS" / %} 146 | 147 | ### Responsibility 148 | 149 | {% responsibility capability_id="PSCF-RM-TPS" / %} 150 | 151 | ## Compliance Obligations [PSCF‑RM‑CO] 152 | 153 | _The capability to define, understand and apply your obligations for compliance to your product delivery process._ 154 | 155 | {% video src="https://www.youtube.com/embed/7l4Xwh2RPIg?si=4V9C8QFaDfthiZlk" /%} 156 | 157 | ### Capability Overview 158 | 159 | Internal compliance encompasses voluntary standards an organization might adopt, like ISO27001 or SOC 2, which are chosen for their value in enhancing operations or customer trust. External compliance, on the other hand, involves adhering to legal and industry-specific regulations, such as the Data Security Standard (PCI-DSS) for businesses involved in the Payment Card Industry. Failure to comply can lead to legal issues or loss of operational licenses. 160 | 161 | This capability requires a thorough understanding of what each set of compliance obligations entails, ensuring that an organization not only recognizes its required obligations but also implements the necessary practices to meet them. It also involves evaluating the cost-effectiveness and value of complying with internal standards, a critical factor in strategic decision-making and resource allocation 162 | 163 | ### Compliance Requirement 164 | 165 | {% compliance capability_id="PSCF-RM-CO" / %} 166 | 167 | ### Accountability 168 | 169 | {% accountability capability_id="PSCF-RM-CO" / %} 170 | 171 | ### Responsibility 172 | 173 | {% responsibility capability_id="PSCF-RM-CO" / %} 174 | 175 | ## Data Processing Obligations [PSCF‑RM‑DPO] 176 | 177 | _The capability to define, understand and apply your obligations for data processing to your product delivery process._ 178 | 179 | {% video src="https://www.youtube.com/embed/QjjAdk-sYJc?si=7cmOB5HOA-rOFnz2" /%} 180 | 181 | ### Capability Overview 182 | 183 | Part of an organization's broader compliance obligations, requiring a clear understanding of the specific regulations that apply, such as the General Data Processing Rules (GDPR) for businesses operating in Europe. It is important to comprehending the full scope of data processing, including the nature of the data, its intended use, and the adherence to specific requirements of regulations like GDPR. You must also be aware of any third-party entities involved in data processing and ensure their compliance with relevant regulations. This capability is crucial for organizations to meet regulatory standards and avoid potential legal complications. 184 | 185 | ### Compliance Requirement 186 | 187 | {% compliance capability_id="PSCF-RM-DPO" / %} 188 | 189 | ### Accountability 190 | 191 | {% accountability capability_id="PSCF-RM-DPO" / %} 192 | 193 | ### Responsibility 194 | 195 | {% responsibility capability_id="PSCF-RM-DPO" / %} 196 | 197 | ## Business Impact Assessment [PSCF‑RM‑BIA] 198 | 199 | _The capability to analyse the business value of products and the effects security disruptions to that product will have on business._ 200 | 201 | {% video src="https://www.youtube.com/embed/xvLFS8Dsf8c?si=yUhNojJ6yOe3dTLD" /%} 202 | 203 | ### Capability Overview 204 | 205 | Analyzing the business value of products and the impact of security disruptions centres around the vital process of Business Impact Assessment (BIA) within a product delivery organization. 206 | 207 | This capability involves assessing how different levels of security incidents can affect the value and operations of a product. A crucial aspect of BIA is determining the appropriate level of detail for the assessment, ensuring it's sufficient to understand the impact without losing sight of the overall business value. Another key factor is the involvement of someone who can represent and articulate the business interests effectively. This person should have an in-depth understanding of the product or service to address potential 'what if' scenarios. The choice of scenarios to be discussed in the BIA is also critical. While it's not necessary to cover every possible scenario, the focus should be on those most relevant and likely to impact the business, ensuring a thorough and meaningful assessment. 208 | 209 | ### Compliance Requirement 210 | 211 | {% compliance capability_id="PSCF-RM-BIA" / %} 212 | 213 | ### Accountability 214 | 215 | {% accountability capability_id="PSCF-RM-BIA" / %} 216 | 217 | ### Responsibility 218 | 219 | {% responsibility capability_id="PSCF-RM-BIA" / %} 220 | 221 | ## Data Protection Impact Assessment [PSCF‑RM‑DIA] 222 | 223 | _The capability to analyse the potential impact to the data subject that a failure of data protection would have._ 224 | 225 | ### Capability Overview 226 | 227 | Navigating the intricate landscape of data handling and processing, especially under the stringent regulations of GDPR, introduces the imperative capability of Data Protection Impact Assessment (DPIA) within a product delivery organization. 228 | 229 | This capability is centered on meticulously evaluating the data processing activities of a product and understanding the potential privacy impacts these activities may have on individuals. A pivotal aspect of DPIA is the depth and thoroughness of the assessment, ensuring it's comprehensive enough to cover all relevant data processing nuances without overshadowing the primary objective of safeguarding personal data. It's crucial to involve someone with a profound comprehension of the GDPR's requirements and the specific data processing activities of the product. This individual should be adept at dissecting and addressing potential data protection risks and envisaging 'what if' scenarios related to data breaches or misuse. Selecting the most pertinent and impactful data processing activities to assess is also paramount. While it may not be feasible to scrutinize every minor processing detail, the focus should be on those activities that pose significant privacy risks, thereby ensuring a robust and meaningful DPIA. 230 | 231 | ### Compliance Requirement 232 | 233 | {% compliance capability_id="PSCF-RM-DIA" / %} 234 | 235 | ### Accountability 236 | 237 | {% accountability capability_id="PSCF-RM-DIA" / %} 238 | 239 | ### Responsibility 240 | 241 | {% responsibility capability_id="PSCF-RM-DIA" / %} 242 | 243 | ## Threat Intelligence [PSCF‑RM‑TI] 244 | 245 | _The capability to define and understand criminal abuses your product might be exposed to and apply this understanding to product delivery._ 246 | 247 | {% video src="https://www.youtube.com/embed/3VD0TOpTVW8?si=8XqfDQ4OnFNhNwQQ" /%} 248 | 249 | ### Capability Overview 250 | 251 | Defining and understanding criminal abuses a product might face, and applying this knowledge to product delivery, revolves around developing a comprehensive threat intelligence capability. 252 | 253 | This involves a deep understanding of the product, user activities, and the potential threat actors and their methods. The capability spans various levels of threat intelligence, including operational intelligence which offers technical data feeds for immediate threats, tactical intelligence that requires more specific interpretation and evaluation related to the product and market, and strategic intelligence that encompasses broader geopolitical and industry-wide events. 254 | 255 | Effective threat intelligence is crucial in proactively identifying and mitigating potential risks to the product, but it also requires careful balancing of resources and expertise to manage the associated costs. This capability is integral in ensuring the security and integrity of the product in a dynamic threat landscape 256 | 257 | ### Compliance Requirement 258 | 259 | {% compliance capability_id="PSCF-RM-TI" / %} 260 | 261 | ### Accountability 262 | 263 | {% accountability capability_id="PSCF-RM-TI" / %} 264 | 265 | ### Responsibility 266 | 267 | {% responsibility capability_id="PSCF-RM-TI" / %} -------------------------------------------------------------------------------- /capability-areas/secure-build-and-deployment/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Secure Build & Deployment 3 | nextjs: 4 | metadata: 5 | title: Secure Build & Deployment 6 | description: A description of the Secure Build & Deployment capability area. 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/ksCcMQ3xEds?si=5ggsu-Lm9ie-ZuDa" /%} 10 | 11 | ## Area Overview 12 | 13 | Secure Build & Deployment is a vital component in the product development pipeline, ensuring that the security measures ingrained during the design and implementation phases are accurately translated into the final product. This practice involves rigorous procedures and checks to maintain the integrity and security of the product from the build environment to its deployment in a live setting. It's about creating a fortified bridge between the development of secure code and its operation in the real world, ensuring that this transition is seamless, secure, and devoid of vulnerabilities that can be exploited. 14 | 15 | These capabilities are pivotal for automating and reinforcing security measures throughout the build and deployment processes. By integrating robust security practices into these stages, organizations can safeguard their products against configuration errors, unauthorized access, and other security threats that can compromise the product post-deployment. 16 | 17 | ### Benefits 18 | 19 | * **Continuous Security Assurance:** Secure Build & Deployment practices ensure that security is an ongoing priority, not just at certain stages, providing continuous protection throughout the product's lifecycle. 20 | * **Streamlined Deployment Processes:** Integrating security into the build and deployment processes helps in automating security checks and controls, making these processes more efficient and less prone to human error. 21 | * **Early Detection of Vulnerabilities:** Regular and automated security assessments during the build and deployment stages allow for the early detection and remediation of vulnerabilities, reducing potential exploitation risks. 22 | * **Confidence in Product Integrity:** Ensures that the product deployed in the production environment mirrors the security and integrity of the product conceived during the design phase, fostering confidence among stakeholders and users. 23 | 24 | ## Dependency Management [PSCF‑SBD‑DM] 25 | 26 | _The capability to evaluate and select secure software dependencies used by your product_ 27 | 28 | {% video src="https://www.youtube.com/embed/BSQMZJBTaGc?si=gWmrDWCgcJj_r4R4" /%} 29 | 30 | ### Capability Overview 31 | 32 | Dependency management is crucial in modern software development due to the extensive use of third-party libraries and frameworks. Properly managing these dependencies is vital for maintaining the security and stability of software products, as vulnerabilities in these external components can be easily exploited. 33 | 34 | ### Compliance Requirement 35 | 36 | {% compliance capability_id="PSCF-SBD-DM" / %} 37 | 38 | ### Accountability 39 | 40 | {% accountability capability_id="PSCF-SBD-DM" / %} 41 | 42 | ### Responsibility 43 | 44 | {% responsibility capability_id="PSCF-SBD-DM" / %} 45 | 46 | ## Build Process [PSCF‑SBD‑BP] 47 | 48 | _The capability to securely assemble product artefacts from their codebases and dependencies_ 49 | 50 | {% video src="https://www.youtube.com/embed/FuVi71PzYjw?si=jbBdhb-NmDG15Z4-" /%} 51 | 52 | ### Capability Overview 53 | 54 | The build process in software development is a critical stage where source code is compiled into executable programs. A secure and efficient build process is essential for ensuring that the software is free from vulnerabilities and defects, and is ready for deployment. 55 | 56 | ### Compliance Requirement 57 | 58 | {% compliance capability_id="PSCF-SBD-BP" / %} 59 | 60 | ### Accountability 61 | 62 | {% accountability capability_id="PSCF-SBD-BP" / %} 63 | 64 | ### Responsibility 65 | 66 | {% responsibility capability_id="PSCF-SBD-BP" / %} 67 | 68 | ## Artifact Integrity [PSCF‑SBD‑AI] 69 | 70 | _The capability to use product artefacts from trusted sources and evaluate any that change_ 71 | 72 | {% video src="https://www.youtube.com/embed/cavvIhxua7g?si=xNstMvVTrQ-Y998E" /%} 73 | 74 | ### Capability Overview 75 | 76 | Artifact integrity is critical in ensuring that the software products developed are authentic and have not been tampered with. This is essential for maintaining trust in the software delivery process and for the security of the end product. 77 | 78 | This capability involves verifying the integrity of software artifacts from creation to deployment. It includes implementing measures to ensure that the artifacts are not altered or corrupted during the software development lifecycle. Ensuring artifact integrity is crucial for preventing the introduction of malicious code or vulnerabilities into the software. 79 | 80 | ### Compliance Requirement 81 | 82 | {% compliance capability_id="PSCF-SBD-AI" / %} 83 | 84 | ### Accountability 85 | 86 | {% accountability capability_id="PSCF-SBD-AI" / %} 87 | 88 | ### Responsibility 89 | 90 | {% responsibility capability_id="PSCF-SBD-AI" / %} 91 | 92 | ## Data Integrity [PSCF‑SBD‑DI] 93 | 94 | _The capability to use data in your product that is obtained from and stored in trusted sources and evaluate any changes_ 95 | 96 | {% video src="https://www.youtube.com/embed/WEvcK80i2NY?si=ZLjO8VJrf85Eox-p" /%} 97 | 98 | ### Capability Overview 99 | 100 | Data integrity is paramount in ensuring the accuracy, reliability, and consistency of data throughout its lifecycle. In the context of software development, it is crucial for maintaining the trustworthiness of the data used and produced by applications. 101 | 102 | This capability focuses on ensuring that data is not altered in an unauthorized or unexpected manner. It encompasses strategies to protect data from corruption, unauthorized access, and errors. Effective data integrity practices are essential for complying with data protection regulations and for maintaining the overall quality of software products. 103 | 104 | ### Compliance Requirement 105 | 106 | {% compliance capability_id="PSCF-SBD-DI" / %} 107 | 108 | ### Accountability 109 | 110 | {% accountability capability_id="PSCF-SBD-DI" / %} 111 | 112 | ### Responsibility 113 | 114 | {% responsibility capability_id="PSCF-SBD-DI" / %} 115 | 116 | ## Secrets Management [PSCF‑SBD‑SM] 117 | 118 | _The capability to restrict access to product secrets to only when required by those people and systems that need them_ 119 | 120 | {% video src="https://www.youtube.com/embed/CNnJIOSCmyE?si=IgUnRe7nsbbmBdue" /%} 121 | 122 | ### Capability Overview 123 | 124 | Secrets management is a critical aspect of software security, involving the safe handling of sensitive information like passwords, keys, and tokens. Proper management of these secrets is essential to protect against data breaches and unauthorized access. 125 | 126 | This capability involves creating, storing, accessing, and disposing of secrets in a secure manner. It requires a comprehensive approach to ensure that secrets are not exposed to unauthorized individuals or systems and are used only for their intended purposes. Effective secrets management is a fundamental part of securing software systems and protecting sensitive information. 127 | 128 | ### Compliance Requirement 129 | 130 | {% compliance capability_id="PSCF-SBD-SM" / %} 131 | 132 | ### Accountability 133 | 134 | {% accountability capability_id="PSCF-SBD-SM" / %} 135 | 136 | ### Responsibility 137 | 138 | {% responsibility capability_id="PSCF-SBD-SM" / %} 139 | 140 | ## Deployment Process [PSCF‑SBD‑DP] 141 | 142 | _The capability to securely deploy a product and its components from a known set of artefacts_ 143 | 144 | {% video src="https://www.youtube.com/embed/vUZ5K27Mo7E?si=XgYOujKuvjDFyiXz" /%} 145 | 146 | ### Capability Overview 147 | 148 | The deployment process is a critical stage in the software development lifecycle, where software is released to production environments. A secure and efficient deployment process is essential to ensure the reliability and availability of software products. 149 | 150 | The deployment process involves the steps taken to move software from development to production environments. It requires careful planning and execution to ensure that deployments are performed without errors, disruptions, or security breaches. Effective deployment processes enable rapid and safe delivery of software updates and new features to users. 151 | 152 | ### Compliance Requirement 153 | 154 | {% compliance capability_id="PSCF-SBD-DP" / %} 155 | 156 | ### Accountability 157 | 158 | {% accountability capability_id="PSCF-SBD-DP" / %} 159 | 160 | ### Responsibility 161 | 162 | {% responsibility capability_id="PSCF-SBD-DP" / %} 163 | -------------------------------------------------------------------------------- /capability-areas/secure-product-implementation/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Secure Product Implementation 3 | nextjs: 4 | metadata: 5 | title: Secure Product Implmentation 6 | description: A description of the Secure Product Implmentation capability area. 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/RBocmSoJ4Dw?si=0QzH8uzqrqVGjOkd" /%} 10 | 11 | ## Area Overview 12 | 13 | Secure Product Implementation is an essential practice in the realm of product development, focusing on embedding security principles from the earliest stages of design and carrying these principles throughout the entire implementation process. This proactive approach ensures that products are not only functional and user-friendly but inherently secure, resilient, and reliable. By integrating security into the very fabric of the product's architecture and design, organizations can preemptively address potential vulnerabilities and mitigate risks before they escalate into more significant threats. 14 | 15 | These capabilities empower teams to create products that are not only compliant with the latest security standards but are also equipped to withstand the evolving and sophisticated threats in the digital landscape. Secure Product Implementation is a strategic investment, fostering innovation and trust, and setting a solid foundation for the secure evolution of the product over its lifecycle. 16 | 17 | ### Benefits 18 | 19 | * **Proactive Threat Mitigation:** By considering security at the earliest stages of product design and implementation, potential threats and vulnerabilities can be identified and mitigated upfront, reducing the risk of future breaches and attacks. 20 | * **Compliance and Standard Adherence:** Ensures that products are designed and built in accordance with industry standards and regulatory requirements, mitigating legal and compliance risks. 21 | * **Optimized Development Lifecycle:** Embedding security early in the product design and implementation phases streamlines the development process, reduces the need for costly redesigns, and accelerates time-to-market. 22 | * **Trust and Brand Loyalty:** Products designed and implemented with security as a priority instill confidence among customers and partners, enhancing brand reputation and customer loyalty. 23 | 24 | ## Data Classification [PSCF‑SPI‑DC] 25 | 26 | _The capability to maintain a Data Catalogue of data in use by your product that records its criticality, sensitivity and requirement_ 27 | 28 | {% video src="https://www.youtube.com/embed/FLdaaznIfJI?si=R9FMzOg9Oe3WzaA2" /%} 29 | 30 | ### Capability Overview 31 | 32 | Data classification is a critical process in managing and securing an organization's information assets. It involves categorizing data based on its level of sensitivity, regulatory requirements, and business value. This process is essential for ensuring that sensitive data, such as personal identifiable information (PII), is adequately protected and handled in compliance with legal and regulatory standards. 33 | 34 | ### Compliance Requirement 35 | 36 | {% compliance capability_id="PSCF-SPI-DC" / %} 37 | 38 | ### Accountability 39 | 40 | {% accountability capability_id="PSCF-SPI-DC" / %} 41 | 42 | ### Responsibility 43 | 44 | {% responsibility capability_id="PSCF-SPI-DC" / %} 45 | 46 | ## Functional Requirement Analysis [PSCF‑SPI‑FRA] 47 | 48 | _The capability to analyse functional product requirements for security requirements arising_ 49 | 50 | {% video src="https://www.youtube.com/embed/uTaOsE7nj4w?si=8TZwrgrsW9LbW8F-" /%} 51 | 52 | ### Capability Overview 53 | 54 | Functional requirement analysis is a systematic process of identifying and documenting the functionalities required for a software system. This process is vital to ensure that the software meets its intended purpose and user needs. It is also crucial for identifying security requirements that need to be integrated into these functionalities. 55 | 56 | ### Compliance Requirement 57 | 58 | {% compliance capability_id="PSCF-SPI-FRA" / %} 59 | 60 | ### Accountability 61 | 62 | {% accountability capability_id="PSCF-SPI-FRA" / %} 63 | 64 | ### Responsibility 65 | 66 | {% responsibility capability_id="PSCF-SPI-FRA" / %} 67 | 68 | 69 | ## Agile Threat Modelling [PSCF‑SPI‑ATM] 70 | 71 | _The capability to evaluate product designs for their resilience to security threats_ 72 | 73 | {% video src="https://www.youtube.com/embed/U9BnlBWeAfE?si=Ng3Kp9MFqLgrKVKM" /%} 74 | 75 | ### Capability Overview 76 | 77 | Agile threat modelling is an approach to identify and address potential security threats in a software development environment that embraces agile methodologies. It is essential for proactively identifying security vulnerabilities and ensuring the software's resilience against attacks. 78 | 79 | Continuous assessment of threats throughout the development process aligns with the agile principles of iterative development, enabling teams to integrate security considerations into the development lifecycle effectively. This approach helps in identifying potential security issues early and provides a framework for addressing them promptly. 80 | 81 | ### Compliance Requirement 82 | 83 | {% compliance capability_id="PSCF-SPI-ATM" / %} 84 | 85 | ### Accountability 86 | 87 | {% accountability capability_id="PSCF-SPI-ATM" / %} 88 | 89 | ### Responsibility 90 | 91 | {% responsibility capability_id="PSCF-SPI-ATM" / %} 92 | 93 | ## Component Management [PSCF‑SPI‑CM] 94 | 95 | _The capability to evaluate, select and maintain secure product components used by your product_ 96 | 97 | {% video src="https://www.youtube.com/embed/8UmJDh0c_IQ?si=7DuBSqzl-dXdMkYo" /%} 98 | 99 | ### Capability Overview 100 | 101 | Component management is the practice of managing software components to ensure they are up-to-date, secure, and efficiently integrated into software systems. This practice is crucial for maintaining the security and performance of software applications. 102 | 103 | ### Compliance Requirement 104 | 105 | {% compliance capability_id="PSCF-SPI-CM" / %} 106 | 107 | ### Accountability 108 | 109 | {% accountability capability_id="PSCF-SPI-CM" / %} 110 | 111 | ### Responsibility 112 | 113 | {% responsibility capability_id="PSCF-SPI-CM" / %} 114 | 115 | ## Secure Coding Practices [PSCF‑SPI‑SCP] 116 | 117 | _The capability to define, understand and apply secure coding practices to the creation of source code for use in the organisation's products_ 118 | 119 | ### Capability Overview 120 | 121 | Secure Coding Practices are the backbone of a robust and resilient product development lifecycle. This discipline involves the adoption and implementation of a set of comprehensive guidelines and techniques that ensure the source code for products is not only functional and efficient but also fortified against the myriad of security threats prevalent in today's digital landscape. It's about writing code with the foresight of potential security risks, ensuring that every line not only serves its purpose in functionality but also stands as a bulwark against vulnerabilities. 122 | 123 | ### Compliance Requirement 124 | 125 | {% compliance capability_id="PSCF-SPI-SCP" / %} 126 | 127 | ### Accountability 128 | 129 | {% accountability capability_id="PSCF-SPI-SCP" / %} 130 | 131 | ### Responsibility 132 | 133 | {% responsibility capability_id="PSCF-SPI-SCP" / %} 134 | -------------------------------------------------------------------------------- /capability-areas/secure-product-management/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Secure Product Management 3 | nextjs: 4 | metadata: 5 | title: Secure Product Management 6 | description: A description of the Secure Product Management capabibility area. 7 | --- 8 | 9 | {% video src="https://www.youtube.com/embed/fYcF2gdszZ8?si=kGa_glDNwnbBT5hp" /%} 10 | 11 | ## Area Overview 12 | 13 | Secure Product Management is a cornerstone of product development and lifecycle management, ensuring that security is not an afterthought but a fundamental, integrated aspect from inception to decommissioning. This proactive stance is essential in today’s fast-paced and threat-laden digital environment. By embedding security into the product management process, organizations can create robust, reliable products that not only meet but exceed the evolving expectations and needs of customers and stakeholders. 14 | 15 | These capabilities are critical for maintaining the integrity, confidentiality, and availability of products throughout their lifecycle. Secure Product Management is not merely about safeguarding against threats but also about building a resilient framework that can adapt and evolve with emerging technologies and changing threat landscapes. 16 | 17 | ### Benefits 18 | 19 | * **Robust Security Posture:** Integrating security into the product management lifecycle enhances the overall security posture, reducing vulnerabilities and exposure to threats. 20 | * **Lifecycle Approach:** Emphasizes the importance of considering security at every stage of the product lifecycle, from design to decommissioning, ensuring comprehensive protection. 21 | * **Market Competitiveness:** Products designed with security in mind meet the high standards demanded by customers and regulations, giving a competitive edge in the market. 22 | * **Resilience and Reliability:** Secure Product Management ensures that products are not just secure but also resilient to disruptions, maintaining functionality and reliability even when faced with threats. 23 | 24 | ## Recommended Components [PSCF‑SPM‑RC] 25 | 26 | _The capability to evaluate and select secure recommended components suitable for use in the organisation's products_ 27 | 28 | {% video src="https://www.youtube.com/embed/2rrUEG2euJ0?si=kZ1y--mPS8zp_IsZ" /%} 29 | 30 | ### Capability Overview 31 | 32 | The strategic selection and management of recommended components within an organization's product development process are crucial for maintaining a secure and efficient software development lifecycle. Recommended components, encompassing a variety of third-party technologies such as databases, cloud-native services, and operating systems, form the backbone of many modern software products. Their importance lies not only in the functionality they provide but also in the potential security risks they pose if not properly selected and managed. The process of evaluating and selecting these components ensures that they align with the organization's security standards and operational needs, thereby mitigating risks associated with external dependencies. 33 | 34 | ### Compliance Requirement 35 | 36 | {% compliance capability_id="PSCF-SPM-RC" / %} 37 | 38 | ### Accountability 39 | 40 | {% accountability capability_id="PSCF-SPM-RC" / %} 41 | 42 | ### Responsibility 43 | 44 | {% responsibility capability_id="PSCF-SPM-RC" / %} 45 | 46 | ## Recommended Shared Security Services [PSCF‑SPM‑RSS] 47 | 48 | _The capability to evaluate and select shared security services suitable for use in the organisation's products_ 49 | 50 | {% video src="https://www.youtube.com/embed/gglamgyUd-4?si=y-fkMFsPMAv-rLOT" /%} 51 | 52 | ### Capability Overview 53 | 54 | In the realm of product security, the use of shared security services is increasingly becoming a central strategy for organizations aiming to protect their digital assets effectively. These services, such as Identity Management Platforms (IDP), DDoS Protection services, and Security Testing tools, play a vital role in enhancing the security posture of software products. The correct selection and integration of these services are paramount, as they directly influence the security capabilities of the products they protect. A unified approach to selecting these services ensures that security is consistently applied across all products, thereby reducing the complexity and potential gaps in security coverage. 55 | 56 | ### Compliance Requirement 57 | 58 | {% compliance capability_id="PSCF-SPM-RSS" / %} 59 | 60 | ### Accountability 61 | 62 | {% accountability capability_id="PSCF-SPM-RSS" / %} 63 | 64 | ### Responsibility 65 | 66 | {% responsibility capability_id="PSCF-SPM-RSS" / %} 67 | 68 | ## Delivery Metrics [PSCF‑SPM‑DM] 69 | 70 | _The capability to quantitatively evaluate the efficiency of delivery capabilities_ 71 | 72 | {% video src="https://www.youtube.com/embed/1QMm8jMnBxg?si=Y01JzbKxbA7bPEUi" /%} 73 | 74 | ### Capability Overview 75 | 76 | Delivery metrics in software product management are essential for balancing the quality of security with efficient product delivery. These metrics help teams understand the impact of their security practices on overall delivery performance, enabling them to find the right balance between rapid deployment and maintaining robust security measures. Effective use of delivery metrics ensures that the pursuit of security does not unduly hinder the product team's ability to deliver value to customers. This balance is crucial in a competitive market where both speed and security are key to success. 77 | 78 | ### Compliance Requirement 79 | 80 | {% compliance capability_id="PSCF-SPM-DM" / %} 81 | 82 | ### Accountability 83 | 84 | {% accountability capability_id="PSCF-SPM-DM" / %} 85 | 86 | ### Responsibility 87 | 88 | {% responsibility capability_id="PSCF-SPM-DM" / %} 89 | 90 | ## Quality Metrics [PSCF‑SPM‑QM] 91 | 92 | _The capability to quantitatively evaluate all aspects of your product's quality_ 93 | 94 | {% video src="https://www.youtube.com/embed/q1vm7NLeuoI?si=C3glbI08DfWqLUwR" /%} 95 | 96 | ### Capability Overview 97 | 98 | Quality metrics in software development are critical for ensuring that products not only meet customer needs but also adhere to high standards of security and reliability. These metrics provide a comprehensive view of a product's quality across various dimensions, including security, performance, and usability. In the context of security, quality metrics are instrumental in revealing hidden vulnerabilities and gaps that might not be immediately apparent, helping teams preemptively address potential security threats before they manifest in real-world scenarios. 99 | 100 | ### Compliance Requirement 101 | 102 | {% compliance capability_id="PSCF-SPM-QM" / %} 103 | 104 | ### Accountability 105 | 106 | {% accountability capability_id="PSCF-SPM-QM" / %} 107 | 108 | ### Responsibility 109 | 110 | {% responsibility capability_id="PSCF-SPM-QM" / %} 111 | 112 | ## Product Operating Model [PSCF‑SPM‑POM] 113 | 114 | _The capability to analyse your products and define their scope, processes and operating requirements across their lifecycle_ 115 | 116 | {% video src="https://www.youtube.com/embed/P6HThvtTVfA?si=WugeB_QsFNsjsDyZ" /%} 117 | 118 | ### Capability Overview 119 | 120 | The Product Operating Model is a critical aspect of software product management, defining how a product team supports and maintains a product post-release. This model is essential for ensuring that a product remains functional, secure, and meets customer expectations throughout its lifecycle. A well-defined product operating model not only ensures effective product support but also plays a pivotal role in maintaining and enhancing the product's security posture over time. 121 | 122 | ### Compliance Requirement 123 | 124 | {% compliance capability_id="PSCF-SPM-POM" / %} 125 | 126 | ### Accountability 127 | 128 | {% accountability capability_id="PSCF-SPM-POM" / %} 129 | 130 | ### Responsibility 131 | 132 | {% responsibility capability_id="PSCF-SPM-POM" / %} 133 | 134 | ## Minimum Application Requirements For Security [PSCF‑SPM‑MAR] 135 | 136 | _The capability to evaluate and select a list of minimum security requirements suitable for use in the organisation's products_ 137 | 138 | {% video src="https://www.youtube.com/embed/Z-aIksPUGVg?si=nZ6aDAWUHJMZfMkv" /%} 139 | 140 | ### Capability Overview 141 | 142 | Establishing minimum application requirements for security is fundamental in safeguarding software products. In a rapidly evolving digital landscape, where threats and vulnerabilities are constantly emerging, setting a baseline for security measures is essential. These requirements serve as the foundation for a secure development lifecycle, ensuring that every product meets a standard level of security before deployment. This approach not only mitigates risk but also instills confidence among users and stakeholders about the product's integrity and resilience against cyber threats. 143 | 144 | ### Compliance Requirement 145 | 146 | {% compliance capability_id="PSCF-SPM-MAR" / %} 147 | 148 | ### Accountability 149 | 150 | {% accountability capability_id="PSCF-SPM-MAR" / %} 151 | 152 | ### Responsibility 153 | 154 | {% responsibility capability_id="PSCF-SPM-MAR" / %} 155 | -------------------------------------------------------------------------------- /concepts/accountability-and-responsibility/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Accountability & Responsibility 3 | nextjs: 4 | metadata: 5 | title: Accountability & Responsibility 6 | description: Security programs fail when they don't communicate clear, fair, scalable accountabilities. This section defines accountability and responsibility and how they are most effectively used. 7 | --- 8 | 9 | Security programs fail when they don't communicate clear, fair, scalable accountabilities and responsibilities. In the PSCF, we define accountability and responsibility and how they are most effectively used. 10 | 11 | --- 12 | 13 | ## Defining accountability and responsibility 14 | 15 | It's essential to be clear about who is accountable and who is responsible for security capabilities. Equally important is that everyone in your organisation understands what being accountable and being responsible means. In the PSCF we use the definition from [McGrath & Whitty's 2018 paper](https://research.usq.edu.au/download/55d83eed7ba13ad5f3a6f4aeb3e07456f18b3457085051d0d468498464b43020/509830/Accountability%20and%20responsibility%20defined%20-%20author%20post-print%20version%20with%202ECs.pdf), "Accountability and responsibility defined" in the International Journal of Managing Projects in Business. 16 | 17 | ### Accountability 18 | 19 | **Accountability**: _liability for ensuring a task is satisfactorily done_. 20 | 21 | **Accountable** : _having liability for ensuring a task is satisfactorily done._ 22 | 23 | Only individuals can be accountable. If more than one person is accountable, then no one is. 24 | 25 | {% callout title="Situation-oriented" %} 26 | Accountability is what happens after a situation occurs. It's who responds and takes ownership. 27 | {% /callout %} 28 | 29 | ### Responsibility 30 | 31 | **Responsibility**: _an obligation to satisfactorily perform a task_. 32 | 33 | **Responsible**: _accepting an obligation to satisfactorily perform a task_. 34 | 35 | Groups of people can be responsible. In software development many people are often required to collaborate to satisfactorily perform a task. 36 | 37 | {% callout title="Task-oriented" %} 38 | Every person on a team may be responsible for a task that’s required to complete a big project. 39 | {% /callout %} 40 | 41 | ## Fairly and scalably assigning accountability and responsibility 42 | 43 | To be fairly held accountable or made responsible for a security capability's tasks, the individuals or groups need a minimum level of [Understanding, Information and Opportunity](/pscf/concepts/understanding-information-opportunity). When this is not understood or taken into account, organisations end up with very low security capability effectiveness. 44 | 45 | ### Understanding 46 | 47 | To be held accountable for ensuring a task is satisfactorily done, you don't need to understand the task well enough to carry it out yourself (_Understanding level 3+_) but you do need to understand the task well enough to identify that it is being done satisfactorily (_Understanding level 2_). 48 | 49 | ### Information 50 | 51 | You also need information that shows you whether the task is being carried out at all and that the results of the task meet requirements. This information could take many forms and could be a dashboard, a regular report or visual confirmation in some cases. 52 | 53 | ### Opportunity 54 | 55 | The more things you're accountable or responsible for the more of your time it will take to deal with these things. If the people being held accountable or responsible simply don't have time to do everything they need to do then the organisation's expectations are not fair or scalable. 56 | 57 | You need accountabilities and responsibilites that scale at least linearly as the organisation grows. With good use of automation and data presentation, you can achieve sub-linear scale as the organisation grows. 58 | 59 | The most important aspect of opportunity for accountability is related to tools. A tool not often recognised is the tool of setting work priorities. **An accountable person must be able to set work priorities for the responsible group**. Without that tool available, they _cannot_ be held liable for ensuring a task is satisfactorily done. 60 | 61 | If you have a person accountable for security desperately trying to persuade the responsible groups to do the security tasks they're responsible for, then you have a big problem. 62 | 63 | {% callout type="warning" title="Getting it wrong" %} 64 | A common mistake organisations make when implementing a software product security programme is to make a central application security team responsible for security tasks and a head of application security accountable for the security of delivered applications. This is neither fair nor scalable. A central appsec team can be an enabling team, but responsibility for security tasks must sit with the product delivery teams, and accountability for a software product's security must be with the product's lead decision-maker. 65 | {% /callout %} 66 | 67 | ## Suggested accountabilities and responsibilities 68 | 69 | This framework comes with suggested fair and scalable accountabilities and responsibilities for all security capabilities. These suggestions are based on a _product-_ or _stream-aligned_ scalable team structure such as defined in the [Team Topologies](https://teamtopologies.com/) approach. If your delivery organisation is structured in this way, then you should be able to adopt these as they are. If your organisation has a different structure, then you will have to adapt them for your purposes. 70 | 71 | Bear in mind the guidance given in this section when you do this. Be rigorous in ensuring that accountabilities and responsibilities are fairly and scalably assigned or your product security programme will fail to be effective. -------------------------------------------------------------------------------- /concepts/capabilities-drive-secure-products/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Capabilities drive secure products 3 | nextjs: 4 | metadata: 5 | title: Capabilities drive secure products 6 | description: Introducing the quality outcomes axiom. Capabilities lead to actions, which lead to product quality, which lead to customer value, which lead to business outcomes. 7 | --- 8 | 9 | What's so special about capabilities that we've built an entire framework around them? Read on! 10 | 11 | --- 12 | 13 | {% callout title="Definition" %} 14 | **axiom** | ˈaksɪəm | 15 | 16 | noun 17 | 18 | _A statement or proposition which is regarded as being established, accepted, or self-evidently true._ 19 | {% /callout %} 20 | 21 | ## The quality outcomes axiom 22 | 23 | This framework introduces the quality outcomes axiom: 24 | 25 | ![A process diagram showing the quality outcomes axiom](/images/quality-outcomes-axiom.png) 26 | 27 | Your delivery organisation's capabilities lead to actions, which lead to product quality, which delivers customer value and leads to business outcomes. 28 | 29 | Put more simply, the things you do lead to the outcomes you get. This is axiomatic (or: just plain obvious). Accepting this means that capabilities are the start of all aspects of your software products' quality and, ultimately, of the value your customers get from them and the business outcomes they bring. 30 | 31 | {% callout title="Not just businesses..." %} 32 | Non-commercial outcomes if you're a community software project. Gaining more use and a happier user base are good outcomes of a higher-quality community project! 33 | {% /callout %} 34 | 35 | ## An example security capability 36 | 37 | Let's make this less abstract with an example of one of the PSCF's security capabilities. In this case, an essential technical capability to meet the requirements of [NIST SSDF](https://csrc.nist.gov/projects/ssdf) **PW.5**. 38 | 39 | ### PSCF-SPI-SCP: Secure Coding Practices 40 | 41 | _The capability to define, understand and apply secure coding practices to the creation of source code for use in the organisation's products_ 42 | 43 | As you can predict, having a high level of capability here leads to the activity of writing more secure code for your software products. This makes them higher quality from a security point of view, leading to more customer value (your customers do value security!) and better business outcomes. 44 | 45 | {% callout type="warning" title="What if your organisation isn't very capable at this?" %} 46 | Of course, if you appraise your organisation and score low for this capability because of a lack of understanding, a lack of good guidance, or your software developers aren't given enough time to write secure code, just quick hacky code, then the security quality won't be in your products. Leading to your customers potentially seeing other customers' data or having their data stolen. This isn't leading to the kind of outcomes you want. 47 | {% /callout %} 48 | 49 | We've mentioned quality a lot when talking about software product security, but haven't defined exactly what quality is in the PSCF yet. Let's do that now. -------------------------------------------------------------------------------- /concepts/security-quality/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Security is an aspect of software product quality 3 | nextjs: 4 | metadata: 5 | title: Security is an aspect of software product quality 6 | description: Software product quality is well defined, and security is just one aspect of it. 7 | --- 8 | 9 | What is quality? In the world of software products this isn't a metaphysical conundrum, it's well-defined! 10 | 11 | --- 12 | 13 | ## What is software product quality 14 | 15 | This framework uses a rigorous definition of quality for software products, the ISO25010 Software Product Quality Model. 16 | 17 | ### ISO25010 Software Product Quality Model 18 | 19 | ![A diagram showing the ISO25010 Software Product Quality Model with quality characteristics of Functional Suitability, Performance Efficiency, Compatibility, Usability, Reliability, Security, Maintainability, Flexibility and Safey](/images/iso25010-software-product-quality-model.png) 20 | 21 | For reasons not known to the PSCF project team, this model is almost unheard of in the software delivery world. The lack of awareness is very unfortunate because the ISO quality model is comprehensive and extremely helpful in defining the things that matter for a software product. 22 | 23 | {% callout title="Product Owners" %} 24 | You should be particularly interested in this quality model if you're in product management. Being a product owner means you prioritise all of these aspects of quality for your customers and organisation, balancing team effort to create a product of sufficient quality. Product Owner sounds nicer than Quality Manager, though. 25 | {% /callout %} 26 | 27 | ## Prioritising quality 28 | 29 | The ISO team have connected the model to how a software product delivers value to a business. This means there's a left-to-right order of "importance" to it, with the highest value aspects of quality on the left and the lowest on the right. It's a generic, all industries view but look at the order and see if you agree. 30 | 31 | Functional quality will almost always overrule any other aspect of quality. No one cares how fast, reliable or flexible your software is if it doesn't work! 32 | 33 | Performance is the biggest contributor to your customer's perception of quality in your software product. A snappy, responsive system always feels higher quality than a slow, unresponsive one. 34 | 35 | You might be surprised to see reliability being of lower importance. However, a system that's 99.999% available but so slow it's unusable is pretty low value. 36 | 37 | Overall, the most visible aspects of quality to your customers are of higher value and the less visible aspects are of lower value. 38 | 39 | {% callout type="warning" title="So can we just ignore the things on the right?" %} 40 | Not if you want to sustainably deliver value over time! 41 | 42 | Low security quality is an incident waiting to happen; the longer you have low security quality the more likely the incident will happen. The remaining qualities on the right chiefly impact the delivery team itself. A software product with low maintainability and flexibility will quickly lead to one with reliability, performance and functional problems for your customers. 43 | {% /callout %} 44 | 45 | ## How to use the model 46 | 47 | The model has a sensible order of quality importance, but it could be wrong for your organisation and product. Most software delivery teams don't have to worry much about their software's safety, but you might have to. For some products, reliability could be all-important, or performance might not be a big concern for your customers and organisation. 48 | 49 | To start with, review the order of the model and adjust it where necessary for your purposes. Once you have a correctly prioritised quality model you have a high-level view of what's most important to your customers and to your organisation. 50 | 51 | Next, set some quantifiable targets for each aspect of quality. From metrics that clearly indicate that you're reaching the levels of quality your customers and organisation require. We like the Service Level Objective (SLO) and Service Level Indicator (SLI) approach. Having clear measures of quality that you track over time stops it from being a subjective guessing game for the delivery team and makes for a far more effective approach to delivering high-quality software products consistently. 52 | 53 | {% callout title="Quality Metrics" %} 54 | In the PSCF we call these measures **Quality Metrics**. For each capability, we provide suggested SLIs that will be useful for you to track and use for your security SLOs. **Quality Metrics** are balanced against **Delivery Metrics**, measures of delivery effectiveness, to ensure you're not impacting the timely delivery of software products to your customers with excessively high requirements for quality. 55 | {% /callout %} 56 | 57 | Finally, track these SLIs over time and use their trends to inform your decision-making. Having early sight that performance, reliability or security quality is declining means you can re-prioritise your efforts in those areas before an incident occurs. 58 | -------------------------------------------------------------------------------- /concepts/security-requirements-not-security-opinions/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Security requirements not security opinions 3 | nextjs: 4 | metadata: 5 | title: Security requirements not security opinions 6 | description: The PSCF team don't just want to throw their opinions on what matters in with everyone else's. This section describes the rigorous process by which the PSCF security capabilities were derived. 7 | --- 8 | 9 | Software product delivery is complex. Cause and effect are unclear, and little empirical evidence shows that doing _activity X_ will lead to _security improvement Y_. 10 | 11 | 12 | So, what do we do? 13 | 14 | --- 15 | 16 | ## How we derived the PSCF security capabilities 17 | 18 | The PSCF team doesn't want to just provide their own opinion of what matters. A large body of work and rigour already exists in regulatory frameworks and industry and community standards. We analyse these frameworks and standards to derive the fundamental security capabilities they require. 19 | 20 | Each framework or standard refers to these capabilities in its own way and places greater or lesser emphasis on certain ones, but there is a significant overlap across them. 21 | 22 | {% callout title="Industry-specific Regulators" %} 23 | As we analyse each framework or standard, we capture its emphasis by quantifying how effective (or "mature") it requires you to be at that security capability. So, when you appraise your organisation against the PSCF, you can see how well-prepared you are to adopt a compliance framework or industry standard! 24 | {% /callout %} 25 | 26 | The PSCF is a type of [Meta-analysis](https://en.wikipedia.org/wiki/Meta-analysis) across multiple bodies of work to determine the collective requirements that define Best Practice. 27 | 28 | ![A process diagram of how the PSCF derives security capabilites from regulatory frameworks and industry standards](/images/pscf-meta-analysis.png) 29 | 30 | ## What is "Best Practice"? 31 | 32 | If it comes to a customer data breach or similar security-related incident, your organisation will be investigated for negligence by an information rights regulator or equivalent in your country. 33 | 34 | {% callout type="warning" title="Industry-specific Regulators" %} 35 | If your organisation operates in certain industry sectors, such as Financial Services, another regulator is likely to investigate you. If you operate across multiple countries, then many will! 36 | {% /callout %} 37 | 38 | These investigations typically focus on whether, as an organisation, you were doing enough to ensure adequate security in your software. The incident has shown you had a weakness somewhere in what you were doing. Was it just an unfortunate occurrence that happened despite all best efforts being made, or was it inevitable because you weren't doing what you should have been doing? 39 | 40 | The decision usually comes down to whether you were following industry best practices for security. These best practices aren't your opinion or the opinion of your engineering or security teams. **Best practice is the collective requirements across current, published industry and community security standards**. 41 | 42 | ## The security activities that matter 43 | 44 | So, if we don't know exactly what activities lead to the best security outcomes, then we're left with two sources of guidance for the things that we need to be doing in software product delivery: 45 | 46 | 1. Any specific requirements that our regulators have placed upon our organisation 47 | 2. Collective industry best practice 48 | 49 | In this framework, we consider these as: 50 | 51 | 1. **External compliance obligations**. Mandatory activities you have to do as an organisation to be permitted to operate. 52 | 2. **Internal compliance obligations**. Additional activities you have committed to do as an organisation, hopefully based on an industry or community standard, to ensure you're meeting industry best security practices. 53 | 54 | When [adopting this framework](/pscf/intro/adopting-this-framework), one of your first steps is determining what these external and internal compliance obligations are. 55 | -------------------------------------------------------------------------------- /concepts/understanding-information-opportunity/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Understanding, Information & Opportunity 3 | nextjs: 4 | metadata: 5 | title: Understanding, Information & Opportunity 6 | description: How can we measure capability effectiveness? How can we ensure we're fairly assigning accountability? There are three aspects to both! 7 | --- 8 | 9 | How can we measure capability effectiveness? How can we ensure we're fairly assigning accountability? There are the same three aspects to both! 10 | 11 | 12 | --- 13 | 14 | 15 | ## Appraising your organisation against the PSCF 16 | 17 | 18 | One of the goals of this project is to help you answer the question, "How capable are we at security?" for your organisation. You can use the PSCF to: 19 | 20 | * Identify missing security capabilities you need to have 21 | * Evaluate the security capabilities you are doing to see if improvements are needed 22 | 23 | The first is straightforward: check the capabilities of the PSCF that map to regulatory frameworks or industry standards you need to comply with and see if your organisation is currently doing them. 24 | 25 | The second requires a scale to evaluate your capability effectiveness against. In the PSCF, we provide three aspects of capability effectiveness to measure yourself against—Understanding, Information and Opportunity. 26 | 27 | ## Understanding 28 | 29 | ### Overview 30 | 31 | Having the knowledge to carry out the tasks a security capability needs is very important. At the lowest level, your teams may need to learn that a particular security capability exists in the first place. 32 | 33 | {% callout title="You should know!" %} 34 | If your organisation supplies software to the US Federal Government, then the [Minimum Standards for Developer Verification of Software](https://www.nist.gov/publications/guidelines-minimum-standards-developer-verification-software) that the government requires includes threat modelling, a capability in the PSCF. Often, teams are unaware of this practice and have never done it before, so you would have a known Understanding gap that you need to close. 35 | {% /callout %} 36 | 37 | ### The 5-point scale 38 | 39 | The PSCF uses Bloom’s Revised Taxonomy, a well-established means for measuring understanding: 40 | 41 | 1. **Remember**: _Define, duplicate, list, memorise_ 42 | 2. **Understand**: _Describe, discuss, identify, select_ 43 | 3. **Apply**: _Implement, use, interpret, operate_ 44 | 4. **Analyse**: _Organise, compare, examine, test_ 45 | 5. **Evaluate**: _Appraise, defend, select, support_ 46 | 47 | ## Information 48 | 49 | ### Overview 50 | 51 | All of the security capablities in the PSCF have an aspect of information, or data, to them. The information can be required to: 52 | 53 | * Let the people responsible for performing the capability know that it now needs doing 54 | * Feedback to the people responsible that the tasks required for the capability have been carried out satisfactorily 55 | * Alert the person accountable for ensuring the capability is carried out that the reponsible people aren't doing it 56 | 57 | Good, high quality data is frequently lacking for security in software delivery so this is an aspect of a capabilty's effectiveness that needs closely looking at as part of an appraisal. 58 | 59 | ### The 5-point scale 60 | 61 | There isn't a commonly-used measure of data quality or effectiveness that the PSCF project team are aware of (if you know of one please let the team know!), so we created our own for the framework and it has proven very useful in real-world applications of the framework: 62 | 63 | 1. **Incidental Data**: _Unstructured & unreliable_ 64 | 2. **Owned & Managed**: _Able to be improved_ 65 | 3. **Correlated**: _Clearly related & relevant_ 66 | 4. **Structured & Automatable**: _Predicatable & machine-readable_ 67 | 5. **Behaviour Changing**: _Compellingly presented & reliable_ 68 | 69 | ## Opportunity 70 | 71 | ### Overview 72 | 73 | The last thing that determines a capability's effectiveness is Opportunity and it has two aspects: time and tools. 74 | 75 | #### Time 76 | 77 | Even with a high level of knowledge about a security capability and with great data available, if a team simply has no time to carry out the tasks required then the level of that capability's effectiveness is essentially zero. 78 | 79 | {% callout type="warning" title="Accountability Failures" %} 80 | In the software world this is frequently caused by driving a team to deliver new features so fast that corners are cut on quality, including security. If the decision-maker for a team's work priorities is not accountable for the security quality of the software product delivered then this is almost inevitable. 81 | {% /callout %} 82 | 83 | This aspect of Opportunity can be improved by increasing the number of people available to carry out delivery activities or by investing in time to automate tasks so that security capabilities are implemented without requiring much, if any, of the team's time. 84 | 85 | #### Tools 86 | 87 | With plenty of time available to carry out the tasks a capability requires but lacking essential tools needed, you also have an Opportunity problem. Software security testing might require a tool to perform analysis of source code, threat modelling might require a playing card-based approach like [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/). If teams don't have access to necessary tools then, again, capability effectiveness will be essentially zero. 88 | 89 | 90 | ### The 5-point scale 91 | 92 | As with information, the PSCF project team aren't aware of a widely-used standard for measuring opportunity. Our self-defined scale has proven very applicable in use: 93 | 94 | 1. **Ad-hoc & Chaotic**: _Random acts of capability_ 95 | 2. **Reactive**: _Activity done in response to issues_ 96 | 3. **Scheduled**: _Activity on a regular cadence_ 97 | 4. **Proactive**: _Activity done ahead of issues_ 98 | 5. **Low-impact**: _Automated or an efficient team activity_ 99 | -------------------------------------------------------------------------------- /contributing/how-to-contribute/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: How to contribute 3 | nextjs: 4 | metadata: 5 | title: How to contribute 6 | description: Coming soon. 7 | --- 8 | 9 | _Coming soon_ for now either comment on the [Google Sheet](https://docs.google.com/spreadsheets/d/1GiQSePaFkY-wFj3RP3VUkZA81Pqzyhn9x78fSL2OTk8/edit#gid=0) or join [Slack](https://owasp.org/slack/invite) and then jump into the [#project-pscf](https://owasp.slack.com/archives/C06HQQF04CU/) 10 | -------------------------------------------------------------------------------- /data/capabilities.json: -------------------------------------------------------------------------------- 1 | { 2 | "PSCF-RM-OOM": { 3 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "N" }, { "name": "NIST SSDF", "required": "Y" } ], 4 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 5 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 6 | }, 7 | "PSCF-RM-CCI": { 8 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 9 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 10 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 11 | }, 12 | "PSCF-RM-TPC": { 13 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 14 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 15 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 16 | }, 17 | "PSCF-RM-TPD": { 18 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 19 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 20 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 21 | }, 22 | "PSCF-RM-TPS": { 23 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "N" }, { "name": "NIST SSDF", "required": "N" } ], 24 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 25 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 26 | }, 27 | "PSCF-RM-CO": { 28 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 29 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 30 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 31 | }, 32 | "PSCF-RM-DPO": { 33 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 34 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 35 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 36 | }, 37 | "PSCF-RM-BIA": { 38 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 39 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 40 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 41 | }, 42 | "PSCF-RM-DIA": { 43 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "N" }, { "name": "NIST SSDF", "required": "N" } ], 44 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 45 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 46 | }, 47 | "PSCF-RM-TI": { 48 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 49 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 50 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 51 | }, 52 | "PSCF-SPM-RC": { 53 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 54 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 55 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 56 | }, 57 | "PSCF-SPM-RSS": { 58 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 59 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 60 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "" }, { "name": "Operations", "responsible": "" } ] 61 | }, 62 | "PSCF-SPM-DM": { 63 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 64 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 65 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 66 | }, 67 | "PSCF-SPM-QM": { 68 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 69 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 70 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 71 | }, 72 | "PSCF-SPM-POM": { 73 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 74 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 75 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 76 | }, 77 | "PSCF-SPM-MAR": { 78 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 79 | "accountability": [ { "name": "Organisational Lead", "accountable": "Y" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "" } ], 80 | "responsibility": [ { "name": "Leadership", "responsible": "Y" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 81 | }, 82 | "PSCF-SPI-DC": { 83 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 84 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 85 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "" } ] 86 | }, 87 | "PSCF-SPI-FRA": { 88 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 89 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 90 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "" } ] 91 | }, 92 | "PSCF-SPI-ATM": { 93 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 94 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 95 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 96 | }, 97 | "PSCF-SPI-CM": { 98 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 99 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 100 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 101 | }, 102 | "PSCF-SPI-SCP": { 103 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "N" }, { "name": "NIST SSDF", "required": "Y" } ], 104 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 105 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "" } ] 106 | }, 107 | "PSCF-SBD-DM": { 108 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 109 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 110 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "" } ] 111 | }, 112 | "PSCF-SBD-BP": { 113 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 114 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 115 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 116 | }, 117 | "PSCF-SBD-AI": { 118 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 119 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 120 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 121 | }, 122 | "PSCF-SBD-DI": { 123 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 124 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 125 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 126 | }, 127 | "PSCF-SBD-SM": { 128 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "N" } ], 129 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 130 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 131 | }, 132 | "PSCF-SBD-DP": { 133 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 134 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "" }, { "name": "Technical Lead", "accountable": "Y" } ], 135 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 136 | }, 137 | "PSCF-QC-CST": { 138 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 139 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 140 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 141 | }, 142 | "PSCF-QC-EST": { 143 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 144 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 145 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 146 | }, 147 | "PSCF-QC-SDM": { 148 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 149 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 150 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "Y" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 151 | }, 152 | "PSCF-OV-EM": { 153 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 154 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 155 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 156 | }, 157 | "PSCF-OV-ID": { 158 | "regulations": [ { "name": "GDPR", "required": "N" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 159 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 160 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 161 | }, 162 | "PSCF-OV-IR": { 163 | "regulations": [ { "name": "GDPR", "required": "Y" }, { "name": "OWASP SAMM", "required": "Y" }, { "name": "NIST SSDF", "required": "Y" } ], 164 | "accountability": [ { "name": "Organisational Lead", "accountable": "" }, { "name": "Product Lead", "accountable": "Y" }, { "name": "Technical Lead", "accountable": "" } ], 165 | "responsibility": [ { "name": "Leadership", "responsible": "" }, { "name": "Product", "responsible": "" }, { "name": "Development", "responsible": "Y" }, { "name": "Operations", "responsible": "Y" } ] 166 | } 167 | } 168 | -------------------------------------------------------------------------------- /intro/acknowledgements/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Acknowledgements 3 | nextjs: 4 | metadata: 5 | title: Acknowledgements 6 | description: People and companies not part of the project team that have made a significant contribution. 7 | --- 8 | 9 | The PSCF project team would like to thank the following people and companies for their help and contributions towards the development of the framework. 10 | --- 11 | 12 | ## People 13 | 14 | * **Martin Walsh** - [Chief Product Officer, Einride](https://www.linkedin.com/in/martin-walsh-7582235/) 15 | * **Alex Strachan** - [Director, Turner & Townsend](https://www.linkedin.com/in/strachanalex/) 16 | 17 | ## Companies 18 | 19 | * [Shell Recharge Solutions](https://shellrecharge.com/) 20 | * [Turner & Townsend](https://www.turnerandtownsend.com/) 21 | * [Secure Delivery](https://securedelivery.io/) 22 | 23 | ## PSCF Project Team 24 | 25 | * [Toby Irvine](https://www.linkedin.com/in/tobyirvine/) (Project Lead) 26 | * [Grant Ongers](https://www.linkedin.com/in/rewtd/) -------------------------------------------------------------------------------- /intro/adopting-this-framework/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Adopting this framework 3 | nextjs: 4 | metadata: 5 | title: Adopting this framework 6 | description: How to adopt this framework and adapt it where necessary for your organisation. 7 | --- 8 | 9 | How to get started with this framework. 10 | 11 | --- 12 | 13 | ## 1. Understand the framework 14 | 15 | Read through the [framework core concepts](/pscf/concepts/security-requirements-not-security-opinions) to understand how to frame the work of building security capabilities into your software delivery organisation. 16 | 17 | ## 2. Clarify your organisation's compliance requirements 18 | 19 | All security capabilities in the PSCF are derived from, and mapped to, regulatory frameworks and industry and community standards. If your organisation must be GDPR compliant and its software delivery function needs to adhere to NIST SSDF then you can limit the security capabilities to just the ones you require. 20 | 21 | ## 3. Determine your accountable roles and responsible groups 22 | 23 | The framework comes with suggested accountable roles and responsible groups for each security capability. These are accountabilities and responsibilites that work well and scalably across most organisations, but yours may differ in certain ways. It's extremely important to clearly define these accountabilities and responsibilities as a lack of clarity here is what leads to most security programmes failing. 24 | 25 | See [Accountability & Responsibility](/pscf/concepts/accountability-and-responsibility) for details on how to fairly and scalably assign accountability and responsibility in your organisation. 26 | 27 | ## 4. Appraise your organisation 28 | 29 | Once you know the security capabilities your delivery organisation must have to meet its compliance requirements, and the people who are involved in doing them, you can determine how effective your organisation currently is at each of those capabilities. 30 | 31 | The framework uses a 1-5 scale of effectiveness for each capability across three areas (Understanding, Information and Opportunity). This gives you all the detail you need to plan for capabiity uplift where needed. A capability may have: 32 | 33 | * An understanding issue where people need to be trained or supporting tooling needs to be brought in to help 34 | * An information issue that work on data gathering, analysis and presentation can solve by putting actionable information in front of the right people 35 | * An opportunity issue requiring an investment in automation or in additional people to carry out the required security capabilities during product delivery 36 | 37 | There is an example appraisal [Google Sheet](https://docs.google.com/spreadsheets/d/1GiQSePaFkY-wFj3RP3VUkZA81Pqzyhn9x78fSL2OTk8/edit#gid=0) included in the project that you can make a copy of to use for your own appraisal (simply replace the random numbers with your own). 38 | 39 | The appraisal gives you all the information you need for the next step. 40 | 41 | ## 5. Plan your product security programme 42 | 43 | Now you've identified where you have gaps in understanding, information or opportunity across the security capabilities your organisation requires, you can prioritise the most important areas of concern with a programme of work for capability uplift. 44 | 45 | ## 6. Update your security policy 46 | 47 | With a clear view of the security capabilities your organisation needs and the people who are accountable and responsible for them, you can update your security policy for software delivery to define the requirements for everyone. 48 | 49 | Involve all your defined accountable people and representatives from the responsible groups in the security policy update. Software product security comes from within the delivery organisation, it can't effectively be imposed on it from outside. 50 | 51 | {% callout type="warning" title="Mind the gap!" %} 52 | The difference between how you think people are working and how they are actually working is known as an "Alignment Gap". These gaps introduce substantial risk to the organisation and can be created by an aspirational policy that isn't grounded in reality or by gradual changes in working practices not being tracked by updating policy. 53 | 54 | You can manage this alignment gap by setting a future date at which new policy will come into effect for the organisation and aligning that date with your product security programme of work. Making sure that all the necessary improvements to understanding, information and opportunity are in place before the new policy comes into effect. 55 | {% /callout %} 56 | 57 | ## 7. Regularly re-appraise 58 | 59 | After an interval that makes sense, most likely determined by how quickly your organisation can implement improvements, re-appraise the delivery organisation against the required security capabilities. Doing this means: 60 | 61 | * You can quantitatively show the ROI of strategic improvement work through capability uplift 62 | * You can update your product security programme to be more effective, if needed 63 | * Everyone in the delivery organisation can see how their hard work is benefiting them, and their customers 64 | 65 | {% callout title="Security Capability Agility" %} 66 | If your organisation is entering new geographic markets or industry verticals that bring new compliance requirements, you can proactively bring in any new required security capabilities or any higher capability effectiveness needed to meet these requirements using the PSCF! 67 | {% /callout %} 68 | -------------------------------------------------------------------------------- /intro/how-this-framework-helps/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: How this framework helps 3 | nextjs: 4 | metadata: 5 | title: How this framework helps 6 | description: What can this framework do for you? 7 | --- 8 | 9 | It's common for decision-makers in software delivery organisations to not know what they should be doing to ensure the security of their products. 10 | 11 | We created the Product Security Capability Framework to provide a clear way of thinking about software product security and the delivery activities that lead to building and maintaining the right level of security for your customers and your organisation. 12 | 13 | This framework is designed to be the foundation of: 14 | 15 | * Your point-in-time appraisals of current security capability 16 | * The security policy defining how your organisation works to build secure products 17 | * Your strategic product security programme for continuous improvement 18 | 19 | By doing these things, the framework "frames the work" of building the required security capabilities into your software delivery organisation. 20 | 21 | {% callout title="If it matters for software product security, then it's a capability in the PSCF" %} 22 | That's a bold claim, but we're confident in making it due to how we've derived the capabilities in this framework. Check out the framework core concepts to find out more. 23 | {% /callout %} 24 | 25 | -------------------------------------------------------------------------------- /intro/licensing/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Licensing 3 | nextjs: 4 | metadata: 5 | title: Licensing 6 | description: The Product Security Capability Framework © 2023 is licensed under CC BY-SA 4.0 7 | --- 8 | 9 | **The Product Security Capability Framework is licensed under** [CC BY-SA 4.0 ](http://creativecommons.org/licenses/by-sa/4.0/?ref=chooser-v1) 10 | 11 | --- 12 | 13 | The CC BY-SA 4.0 license covers all of the framework data and content held in the [PSCF GitHub Respository](https://github.com/OWASP/PSCF), unless otherwise specified. 14 | 15 | The [PSCF website](https://prods.ec/) hosting is provided by the project sponsor, [Secure Delivery](https://securedelivery.io/), and its design and code is licensed commercially from [Tailwind Labs Inc.](https://tailwindui.com/) 16 | 17 | {% callout title="To be clear" %} 18 | All of the framework data model and accompanying content in the project's GitHub repository is available for use under the Creative Commons license specified. Please do not under any circumstances clone or copy the framework website itself. If you like [the site design and implementation](https://tailwindui.com/templates/syntax) please support its creators by purchasing a license from Tailwind Labs! 19 | {% /callout %} 20 | 21 | -------------------------------------------------------------------------------- /intro/what-is-a-framework/page.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: What is a framework? 3 | nextjs: 4 | metadata: 5 | title: What is a framework? 6 | description: Starting at the beginning - what is a framework and what is it for? 7 | --- 8 | 9 | The word "Framework" is applied to a lot of things without much thought. Let's define what a framework is and when you might need one. 10 | 11 | --- 12 | 13 | ## A framework "frames work" 14 | 15 | Perhaps an obvious statement to make, but one worth making! If you're building, say, a stone arch then using a wooden framework will help a lot with getting the work done and will also improve the quality of the finished arch. 16 | 17 | ![A stone arch framework](/images/stone-arch-framework.jpg) 18 | _Image Credit: Stephens College [Art History Glossary](https://blog.stephens.edu/arh101glossary/?glossary=centering)_ 19 | 20 | Without a framework, the work of building an arch will be haphazard, require more people to do it and the end product is unlikely to be satisfactory. In some cases, it might be impossible to do the work at all without a framework. 21 | 22 | ## Frameworks for knowledge work 23 | 24 | In knowledge work such as software development, a framework has the same purpose: to frame the work being done so that it can be done more easily and produce a higher quality result. 25 | 26 | In all cases, a framework must provide more value than it costs in building or using. If using a framework is more trouble than the benefits it brings to the work, it's not a useful framework. 27 | 28 | We hope you find this framework useful! 29 | 30 | -------------------------------------------------------------------------------- /license.txt: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | including for purposes of Section 3(b); and 307 | 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public 411 | licenses. Notwithstanding, Creative Commons may elect to apply one of 412 | its public licenses to material it publishes and in those instances 413 | will be considered the “Licensor.” The text of the Creative Commons 414 | public licenses is dedicated to the public domain under the CC0 Public 415 | Domain Dedication. Except for the limited purpose of indicating that 416 | material is shared under a Creative Commons public license or as 417 | otherwise permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the 425 | public licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | --------------------------------------------------------------------------------