Skip to content

Instantly share code, notes, and snippets.

@xee5ch

xee5ch/controls_catalog.json

Created March 14, 2023 22:12
Show Gist options
  • Save xee5ch/f74bbc8d4cafcff0e6413d32a3a102e0 to your computer and use it in GitHub Desktop.
Save xee5ch/f74bbc8d4cafcff0e6413d32a3a102e0 to your computer and use it in GitHub Desktop.
Download ZIP
cloud-native-security-controls/controls-catalog#25 sample catalog from commit efd54969bd1abf8a253418d8a43c4c8b303147e8
Raw
controls_catalog.json
{
"uuid": "d74dc2ba-eb2e-44b7-93e2-457076506395",
"metadata": {
"title": "Cloud Native Security Controls Catalog",
"published": null,
"last_modified": "2023-03-14T18:07:44.230+00:00",
"version": "0.0.1",
"oscal_version": "1.0.2",
"revisions": null,
"document_ids": null,
"props": null,
"links": null,
"roles": null,
"locations": null,
"parties": null,
"responsible_parties": null,
"remarks": null
},
"params": null,
"controls": [
{
"id": "control-1",
"class_": null,
"title": "Secrets are injected at runtime, such as environment variables or as a file",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-2",
"class_": null,
"title": "Applications and workloads are explicitly authorized to communicate with each other using mutual authentication",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-3",
"class_": null,
"title": "Keys are rotated frequently",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-4",
"class_": null,
"title": "Key lifespan is short",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-5",
"class_": null,
"title": "Credentials and keys protecting sensitive workloads (health/finance/etc) are customer managed (e.g. generated and managed independent of a cloud service provider)",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-6",
"class_": null,
"title": "Authentication and authorization are determined independently",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-7",
"class_": null,
"title": "Authentication and authorization are enforced independently",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-8",
"class_": null,
"title": "Access control and file permissions are updated in real-time",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-9",
"class_": null,
"title": "Authorization for workloads is granted based on attributs and roles/permissions previously assigned",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-10",
"class_": null,
"title": "ABAC and RBAC are used",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-11",
"class_": null,
"title": "End user identity is capable of being accepted, consumed, and forwarded on for contextual or dynamic authorization",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-12",
"class_": null,
"title": "All cluster and workloads operators are authenticated",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-13",
"class_": null,
"title": "cluster and worklods operate actions are evaluated against access control policies governing context, purpose, and output",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-14",
"class_": null,
"title": "Identity federation uses multi-factor authentication for human users",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-15",
"class_": null,
"title": "HSMs are used to physically protect cryptographic secrets with an encryption key residing in the HSM",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-16",
"class_": null,
"title": "Secrets should have a short expiration period or time to live",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-17",
"class_": null,
"title": "Time to live and expiration period on secrets is verfied to prevent reuse",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-18",
"class_": null,
"title": "Secrets management systems are highly available",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-19",
"class_": null,
"title": "Long-lived secrets adhere to periodic rotation and revocation",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-20",
"class_": null,
"title": "Secrets are distributed through secured communication channels protected commensurate with the level of access or data they are protecting",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-21",
"class_": null,
"title": "Secrets injected are runtime are masqued or dropped from logs, audit, or system dumps",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-22",
"class_": null,
"title": "Bootstrapping is employed to verify correct physical and logical location of compute",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-23",
"class_": null,
"title": "Disparate data sensitive workloads are not run on the same host OS kernel",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-24",
"class_": null,
"title": "Monitor and detect any changes to the initial configurations made in runtime",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-25",
"class_": null,
"title": "API auditing is enabled with a filter for a specific set of API Groups or verbs",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-26",
"class_": null,
"title": "Container specific operating systems are in use",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-27",
"class_": null,
"title": "The hardware root of trust is based in a Trusted Platform Module (TPM) or virtual TPM (vTPM)",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-28",
"class_": null,
"title": "Minimize administrative access to the control plane",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-29",
"class_": null,
"title": "Object level and resource requests and limits are controlled through cgroups",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-30",
"class_": null,
"title": "Systems processing alerts are periodically tuned for false positives",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-31",
"class_": null,
"title": "All orchestrator control plane components are configured to communicate via mutual authentication and certificate validation with a periodically rotated certificate",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-32",
"class_": null,
"title": "Only sanctioned capabilities and system calls (e.g. seccomp filters), are allowed to execute or be invoked in a container by the host operating system",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-33",
"class_": null,
"title": "Changes to critical mount points and files are prevented, monitored, and alerted",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-34",
"class_": null,
"title": "Runtime configuration control prevents changes to binaries, certificates, and remote access configurations",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-35",
"class_": null,
"title": "Runtime configuration prevents ingress and egress network access for containers to only what is required to operate",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-36",
"class_": null,
"title": "Policies are defined that restrict communications to only occur between sanctioned microservice pairs",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-37",
"class_": null,
"title": "Use a policy agent to control and enforce authorized, signed container images",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-38",
"class_": null,
"title": "Use a policy agent to control provenance assurance for operational workloads",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-39",
"class_": null,
"title": "Use a service mesh that eliminates implicit trust through data-in-motion protection (i.e. confidentiality, integrity, authentication, authorization)",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-40",
"class_": null,
"title": "Use components that detect, track, aggregate and report system calls and network traffic from a container",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-41",
"class_": null,
"title": "Workloads should be dynamically scanned to detect malicious or insidious behavior for which no known occurrence yet exists",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-42",
"class_": null,
"title": "Environments are continuously scanned to detect new vulnerabilities in workloads",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-43",
"class_": null,
"title": "Actionable audit events are generated that correlate/contextualize data from logs into \"information\" that can drive decision trees/incident response",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-44",
"class_": null,
"title": "Segregation of duties and the principle of least privilege is enforced",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-45",
"class_": null,
"title": "Non-compliant violations are detected based on a pre-configured set of rules defined by the organization's policies",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-46",
"class_": null,
"title": "Native secret stores encrypt with keys from an external Key Management Store (KMS)",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-47",
"class_": null,
"title": "Native secret stores are not configured for base64 encoding or stored in clear-text in the key-value store by default",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-48",
"class_": null,
"title": "Network traffic to malicious domains is detected and denied",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-49",
"class_": null,
"title": "Use encrypted containers for sensitive sources, methods, and data",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-50",
"class_": null,
"title": "Use SBOMs to identify current deployments of vulnerable libraries, dependencies, and packages",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-51",
"class_": null,
"title": "Processes must execute only functions explicitly defined in an allow list",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-52",
"class_": null,
"title": "Functions are not be allowed to make changes to critical file system mount points",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-53",
"class_": null,
"title": "Function access is only permitted to sanctioned services",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-54",
"class_": null,
"title": "Egress network connection is monitored to detect and prevent access to C&C (command and control) and other malicious network domains",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-55",
"class_": null,
"title": "Ingress network inspection is employed detect and remove malicious payloads and commands",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-56",
"class_": null,
"title": "Serverless functions are run in tenant-based resource or performance isolation for similar data classifications",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-57",
"class_": null,
"title": "Trust confirmation verifies the image has a valid signature from an authorized source",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-58",
"class_": null,
"title": "Image runtime policies are enforced prior to deployment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-59",
"class_": null,
"title": "Image integrity and signature are verified prior to deployment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-60",
"class_": null,
"title": "Applications provide logs regarding authentication, authorization, actions, and failures",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-61",
"class_": null,
"title": "Forensics capabilities are integrated into an incident response plan and procedures",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-62",
"class_": null,
"title": "AI, ML, or statistical modeling are used for behavioural and heuristic environment analysis to detect unwanted activities",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-63",
"class_": null,
"title": "Establish a dedicated Production environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-64",
"class_": null,
"title": "Leverage Dynamic deployments",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-65",
"class_": null,
"title": "Integrate vulnerability and configuration scanning in both the IDE and at the CI system during pull request",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-66",
"class_": null,
"title": "Establish dedicated development, testing, and production environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-67",
"class_": null,
"title": "Build tests for business-critical code",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-68",
"class_": null,
"title": "Build tests for business-critical infrastructure",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-69",
"class_": null,
"title": "Test suite able to be ran locally",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-70",
"class_": null,
"title": "Test suites should be available to run in a shared environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-71",
"class_": null,
"title": "Implement at least one other non-author reviewer/approver prior to merging",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-72",
"class_": null,
"title": "Code should be clean and well commented",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-73",
"class_": null,
"title": "Full infrastructure tests are used",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-74",
"class_": null,
"title": "Regression tests are used",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-75",
"class_": null,
"title": "Test suites are updated against new and emerging threats and developed into security regressions tests",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-76",
"class_": null,
"title": "Establish a dedicated Testing environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-77",
"class_": null,
"title": "Continuous integration server is isolated and hardened",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-78",
"class_": null,
"title": "Use threat model results to determine ROI for test development",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-79",
"class_": null,
"title": "Should software artifacts become untrusted due to compromise or other incident, teams should revoke signing keys to ensure repudiation",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-80",
"class_": null,
"title": "Artifacts ready for deployment are managed in a staging or pre-prod registry",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-81",
"class_": null,
"title": "container images are hardened following best practices",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-82",
"class_": null,
"title": "Static application security testing (SAST) is performed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-83",
"class_": null,
"title": "Test suites follow the test pyramid",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-84",
"class_": null,
"title": "Artifacts undergoing active development are held in a private registery",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-85",
"class_": null,
"title": "Scan application manifests in CI pipeline",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-86",
"class_": null,
"title": "CI server's for sensitive workloads are isolated from other workloads",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-87",
"class_": null,
"title": "Builds requiring elevated privileges must run on dedicated servers",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-88",
"class_": null,
"title": "Build policies are enforced on the CI pipeline",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-89",
"class_": null,
"title": "Sign pipeline metadata",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-90",
"class_": null,
"title": "Build stages are verified prior to the next stage executing",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-91",
"class_": null,
"title": "Images are scanned within the CI pipeline",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-92",
"class_": null,
"title": "Vulnerability scans are coupled with pipeline compliance rules",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-93",
"class_": null,
"title": "Dynamic application security testing (DAST) is performed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-94",
"class_": null,
"title": "Application instrumentation is employed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-95",
"class_": null,
"title": "Automated test results map back to requirements",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-96",
"class_": null,
"title": "Infrastructure security tests must be employed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-97",
"class_": null,
"title": "Tests to verify the security health are executed at time of build and at time of deploy",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-98",
"class_": null,
"title": "IaC is subject to the same pipeline policy controls as application code",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-99",
"class_": null,
"title": "Security testing is automated",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-100",
"class_": null,
"title": "Registries require mutually authenticated TLS for all registry connections",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-101",
"class_": null,
"title": "Image and metadata are signed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-102",
"class_": null,
"title": "Workload-related configuration is signed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-103",
"class_": null,
"title": "Workload-related package is signed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-104",
"class_": null,
"title": "Validate integrity of images",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-105",
"class_": null,
"title": "Scan images for vulnerabilities and malware",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-106",
"class_": null,
"title": "Enable image signing key revokation in the event of compromise",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-107",
"class_": null,
"title": "Security updates are prioritized",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-108",
"class_": null,
"title": "HSMs or credential managers should be used for protecting credentials. If this is not possible, software-based credential managers should be used.",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-109",
"class_": null,
"title": "Container image scanning findings are acted upon",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-110",
"class_": null,
"title": "Organizational compliance rules are enforced",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-111",
"class_": null,
"title": "Incremental hardening of the infrastructure is employed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-112",
"class_": null,
"title": "pulls from public registries are controlled and only from authorized engineers or internal registries",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-113",
"class_": null,
"title": "Image encryption is coupled with key management attestation and/or authorization and credential distribution",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-114",
"class_": null,
"title": "At-risk applications are prioritized for remediation by the exploit maturity and vulnerable path presence in addition to the CVSS score",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-115",
"class_": null,
"title": "Network policies enforce east-west network communication within the container deployment is limited to only that which is authorized for access",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-116",
"class_": null,
"title": "Incident reponse considers cloud native workloads",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-117",
"class_": null,
"title": "Incident response accounts for appropriate evidence handling and collection of coud native workloads",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-118",
"class_": null,
"title": "Rootless builds are employed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-119",
"class_": null,
"title": "cgroups and system groups are used to isolate workloads and deployments",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-120",
"class_": null,
"title": "MAC implementations are employed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-121",
"class_": null,
"title": "Threat model code and infrastructure",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-122",
"class_": null,
"title": "Entities are able to independently authenticate other identities",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-123",
"class_": null,
"title": "Each entity can create proof of who the identity is",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-124",
"class_": null,
"title": "Orchestrator is running on an a trusted OS, BIOS, etc",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-125",
"class_": null,
"title": "Orchestrator verifies the claims of a container",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-126",
"class_": null,
"title": "Orchestrator network policies are used in conjunction with a service mesh",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-127",
"class_": null,
"title": "Storage control plane management interface requires mutual authentication and TLS for connections",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-128",
"class_": null,
"title": "Data availability is achieved through parity or mirroring, erasure coding or replicas",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-129",
"class_": null,
"title": "Hashing and checksums are added to blocks, objects or files",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-130",
"class_": null,
"title": "Data backup storage and data source storage should have same security controls",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-131",
"class_": null,
"title": "Secure erasure adhering to OPAL standards is employed for returned or non-functional devices",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-132",
"class_": null,
"title": "Encryption at rest considers data path, size, and frequency of access when determing additional security protections and cryptographic algorithms to employ",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-133",
"class_": null,
"title": "Caching is considered for determining encryption requirements in archictures",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-134",
"class_": null,
"title": "Namespaces have defined trust boundaries to cordon access to volumes",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-135",
"class_": null,
"title": "Security policies are used to prevent containers from accessing volume mounts on worker nodes",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-136",
"class_": null,
"title": "Security policies are used enforce authorized worker node access to volumes",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-137",
"class_": null,
"title": "Volume UID and GID are inaccessible to containers",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-138",
"class_": null,
"title": "Artifact registry supports OCI artifacts",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-139",
"class_": null,
"title": "Artifact registry supports signed artifacts",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-140",
"class_": null,
"title": "Artifact registry verifies artifacts against organizational policies",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-141",
"class_": null,
"title": "Every step in the build process should be signed/attested for process integrity",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-142",
"class_": null,
"title": "Every step in the build process should verify the previously generated signatures",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-143",
"class_": null,
"title": "Use a framework to manage signing of artefacts.",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-144",
"class_": null,
"title": "Use a store to manage attestations",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-145",
"class_": null,
"title": "Limit which artefacts any given party is authorized to certify",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-146",
"class_": null,
"title": "Rotation and revokation of private keys should be supported",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-147",
"class_": null,
"title": "Use a container registry that supports OCI image-spec images",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-148",
"class_": null,
"title": "Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-149",
"class_": null,
"title": "Cryptographically guarantee policy adherence",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-150",
"class_": null,
"title": "Validate environments and dependencies before usage",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-151",
"class_": null,
"title": "Validate runtime security of build workers",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-152",
"class_": null,
"title": "Validate build artefacts through verifiably reproducible builds",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-153",
"class_": null,
"title": "Lock and Verify External Requirements from the build process",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-154",
"class_": null,
"title": "Find and Eliminate Sources of Non-Determinism",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-155",
"class_": null,
"title": "Record the Build Environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-156",
"class_": null,
"title": "Automate Creation of the Build Environment",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-157",
"class_": null,
"title": "Distribute Builds across different infrastructure",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-158",
"class_": null,
"title": "Build and related CI/CD steps should be automated through a pipeline delivered as code",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-159",
"class_": null,
"title": "Standardize pipelines across projects",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-160",
"class_": null,
"title": "Provision a secured orchestration platform to host software factory",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-161",
"class_": null,
"title": "Build workers should be single use",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-162",
"class_": null,
"title": "Ensure software factory has minimal network connectivity",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-163",
"class_": null,
"title": "Segregate the duties of each build worker",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-164",
"class_": null,
"title": "Pass in build worker environment and commands",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-165",
"class_": null,
"title": "Write output to separate secured storage repo",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-166",
"class_": null,
"title": "Only allow pipeline modification through \u201cpipeline as code\u201d",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-167",
"class_": null,
"title": "Define user roles",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-168",
"class_": null,
"title": "Follow established practices for establishing a root of trust from an offline source",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-169",
"class_": null,
"title": "Use short-lived workload certificates",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-170",
"class_": null,
"title": "Ensure clients can perform verification of artefacts and associated metadata",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-171",
"class_": null,
"title": "Ensure clients can verify the \u201cfreshness\u201d of files",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-172",
"class_": null,
"title": "Use an automated approach for managing software updates",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-173",
"class_": null,
"title": "Verify third party artefacts and open source libraries",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-174",
"class_": null,
"title": "Require SBOM from third party suppliers",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-175",
"class_": null,
"title": "Track dependencies between open source components",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-176",
"class_": null,
"title": "Build libraries based upon source code",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-177",
"class_": null,
"title": "Define and prioritize trusted package managers and repositories",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-178",
"class_": null,
"title": "Generate an immutable SBOM of the code",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-179",
"class_": null,
"title": "Scan software for vulnerabilities",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-180",
"class_": null,
"title": "Scan software for license implications",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-181",
"class_": null,
"title": "Run software composition analysis on ingested software",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-182",
"class_": null,
"title": "Commits and tags are signed",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-183",
"class_": null,
"title": "Enforce full attestation and verification for protected branches",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-184",
"class_": null,
"title": "Secrets are not committed to the source code repository unless encrypted",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-185",
"class_": null,
"title": "The individuals or teams with write access to a repository are defined",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-186",
"class_": null,
"title": "Automate software security scanning and testing",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-187",
"class_": null,
"title": "Establish and adhere to contribution policies",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-188",
"class_": null,
"title": "Define roles aligned to functional responsibilities",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-189",
"class_": null,
"title": "Enforce an independent four-eyes principle",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-190",
"class_": null,
"title": "Use branch protection rules",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-191",
"class_": null,
"title": "Enforce MFA for accessing source code repositories",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-192",
"class_": null,
"title": "Use SSH keys to provide developers access to source code repositories",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-193",
"class_": null,
"title": "Have a key rotation policy",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
},
{
"id": "control-194",
"class_": null,
"title": "Use short-lived/ephemeral credentials for machine/service access",
"params": null,
"props": null,
"links": null,
"parts": null,
"controls": null
}
],
"groups": null,
"back_matter": null
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment