OpenCRE and Integration Standards
3.3 OpenCRE
The Open Common Requirement Enumeration (OpenCRE) is a catalog of security requirements: enumerating security topics and providing links to various standards, cheat sheets and guides.
The OWASP Integration Standards project includes both the OpenCRE and Security and the Application Security Wayfinder, it is an OWASP documentation project with production status.
What is the Integration Standards project?
The Integration Standards project is at the centre of the OWASP project community; it provides guidance on how to navigate and use the many projects within OWASP. It does this in two ways, first is the Application Security Wayfinder which provides a visual map of the most important OWASP projects - as of August 2024 there are 345 OWASP projects so this is a really useful visualization. The second is the Open Common Requirement Enumeration (OpenCRE) which provides a consolidated reference of standards, cheat sheets, tools and other enumerations (such as CWE).
The Integration Standards project has also produced OWASP Application Security Fragmentation write-up on OWASP and the secure Software Development LifeCycle (SDLC). This provides an overview of tools and techniques used for most SDLCs.
What is OpenCRE?
OpenCRE is a catalog, or enumeration, of various standards and reference material, including:
- CAPEC
- CWE
- NIST Special Publications 800-53 and 800-63
- OWASP ASVS
- OWASP Top10
- OWASP Proactive Controls
- OWASP Cheat Sheets
- OWASP WSTG
- ZAP
The aim of this project is to ‘Link all the things with OpenCRE’ which will:
- make it easier for engineers, security officers, testers and procurement to find relevant information
- make it easier for standards makers to create and maintain references
Why use OpenCRE?
OpenCRE: ‘Everything organized’
OpenCRE is a powerful tool that can provide developers with links to many resources, and is easy to use. It provides a one-stop consolidated set of references on various security terms and domains, and crucially these are automatically kept up to date. The provides a handy security catalog that can be searched for various standards or security terms.
As well as being useful for day to day security questions, the OpenCRE can also be used as the reference section in documentation; linking across to the OpenCRE rather than providing a list of references means the links are kept up to date automatically.
How to use OpenCRE
The OpenCRE catalog can be accessed in traditional ways such as using searches or linking across to it. For example OpenCRE references to the Common Weakness Enumeration can be accessed using the search facility or by linking across directly to a specific Open Common Requirement.
OpenCRE is also useful when providing references in documentation. OpenCRE can be used for these references instead of listing various references to a security concept or requirement. This will provide links to standards, cheat sheets, tools and other enumerations - along with other sources that have been added over time - and all kept up to date. So no more broken links or referring to out of date versions :)
This is now the age of large language models, and OpenCRE has embraced this technology. Immediate answers to security questions or searches can be provided by OpenCRE Chat.
For example, in answer to the question “what use is the OWASP Developer Guide?” OpenCRE Chat provides the agreeable answer:
“The OWASP Developer Guide provides a comprehensive overview of application security risks and how to mitigate them. It covers topics such as input validation, output encoding, secure coding practices, and secure design principles. The guide is a valuable resource for developers who want to create secure applications.”
References
- OWASP OpenCRE
- Spotlight on OpenCRE
- OWASP Application Security Fragmentation
- OWASP Integration Standards project
- Understanding the Complete Chain of Application Security Using OpenCRE org
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.