[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Intro
I ran into Dee at Black Hat and mentioned my work. She indicated that SARIF was under active discussion, so here I am. I've been working on the development and documentation of a modern cybersecurity development lifecycle that incorporates the lessons learned since Microsoft introduced their SDL about twenty years ago. Part of that work included recommended automation via information exchange formats. Static analysis of course recommends SARIF, but it is also recommended for other use cases (with extensions). These use cases include: threat modeling, dynamic analysis, fuzz testing, penetration testing, and attack surface analysis. I'm hoping the group will find these informative. I also presume, that we've missed appropriate use of SARIF and we'll need to make corrections. The intent is to be able to validate as SARIF generally and also validate using a specialized schema. The general link to the work (AVCDL) is: https://github.com/nutonomy/AVCDL with specific links to the use cases mentioned as follows: Threat modeling https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Threat%20Modeling%20Report.pdf Fuzz testing https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Fuzz%20Testing%20Report.pdf Static analysis https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Static%20Analysis%20Report.pdf Dynamic analysis https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Dynamic%20Analysis%20Report.pdf Penetration testing https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/secondary_documents/Penetration%20Testing%20Report.pdf Since SBOM came up in the last call, here's my take. You'll note it to be far more end-to-end than most discussions. https://github.com/nutonomy/AVCDL/blob/main/distribution/reference_documents/elaboration_documents/Software%20Bill%20of%20Materials%20Lifecycle.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]