OWASP Product Security Capability Framework

OWASP Labs GitHub Release Follow on Twitter OpenSSF Best Practices

The OWASP Product Security Capability Framework (PSCF)

This is the OWASP framework for building security capabilities into your product delivery process and teams.

The main website for the PSCF is on Prods.ec and includes many more details about the Framework along with explanatory videos.

We created the Product Security Capability Framework to provide a clear way of thinking about software product security and the delivery activities that lead to building and maintaining the right level of security for your customers and your organisation.

This framework is designed to be the foundation of:

  • Your point-in-time appraisals of current security capability
  • The security policy defining how your organisation works to build secure products
  • Your strategic product security programme for continuous improvement

The framework currently consists of six (6) process areas and thirty-two (32) capabilities.


PSCF

The current 1.0 version of the framework is available here in Google Sheets and anyone with can comment and contribute there.

The Sheet allows someone to do an assessment of their own organisation’s capabilities and get a report.

The full text and multimedia site is available on Prods.ec

Risk Management

PSCF-RM-OOM: Organisational Operating Model

The capability to evaluate and apply fair and scalable accountabilities and reponsibilities for capabilities across the delivery organisation.

PSCF-RM-CCI: Continuous Capability Improvement

The capability to evaluate capabilities in this framework that require improvement and apply improvements over time

PSCF-RM-TPC: Third-Party Components

The capability to evaluate and select third-party component suppliers

PSCF-RM-TPD: Third-Party Software Development Services

The capability to evaluate and select secure third-party development services suppliers

PSCF-RM-TPS: Third-Party Software-as-a-Service

The capability to evaluate and select secure SaaS offerings from third parties

PSCF-RM-CO: Compliance Obligations

The capability to define, understand and apply your obligations for compliance to your product delivery process

PSCF-RM-DPO: Data Processing Obligations

The capability to define, understand and apply your obligations for data processing to your product delivery process

PSCF-RM-BIA: Business Impact Assessment

The capability to analyse the business value of products and the effects security disruptions to that product will have on business

PSCF-RM-TI: Threat Intelligence

The capability to define and understand criminal abuses your product might be exposed to and apply this understanding to product delivery

Secure Product Management

The capability to evaluate and select secure recommended components suitable for use in the organisation’s products

The capability to evaluate and select shared security services suitable for use in the organisation’s products

PSCF-SPM-DM: Delivery Metrics

The capability to quantitatively evaluate the efficiency of delivery capabilities

PSCF-SPM-QM: Quality Metrics

The capability to quantitatively evaluate all aspects of your product’s quality

PSCF-SPM-POM: Product Operating Model

The capability to analyse your products and define their scope, processes and operating requirements across their lifecycle

PSCF-SPM-MAR: Minimum Application Requirements For Security

The capability to evaluate and select a list of minimum security requirements suitable for use in the organisation’s products

Secure Product Implementation

PSCF-SPI-DC: Data Classification

The capability to maintain a Data Catalogue of data in use by your product that records its criticality, sensitivity and requirement

PSCF-SPI-FRA: Functional Requirement Analysis

The capability to analyse functional product requirements for security requirements arising

PSCF-SPI-ATM: Agile Threat Modelling

The capability to evaluate product designs for their resilience to security threats

PSCF-SPI-CM: Component Management

The capability to evaluate, select and maintain secure product components used by your product

PSCF-SPI-SCP: Secure Coding Practices

The capability to define, understand and apply secure coding practices to the creation of source code for use in the organisation’s products

Secure Build And Deployment

PSCF-SBD-DM: Dependency Management

The capability to evaluate and select secure software dependencies used by your product

PSCF-SBD-BP: Build Process

The capability to securely assemble product artefacts from their codebases and dependencies

PSCF-SBD-AI: Artifact Integrity

The capability to use product artefacts from trusted sources and evaluate any that change

PSCF-SBD-DI: Data Integrity

use data in your product that is obtained from and stored in trusted sources and evaluate any changes

PSCF-SBD-SM: Secrets Management

The capability to restrict access to product secrets to only when required by those people and systems that need them

PSCF-SBD-DP: Deployment Process

securely deploy a product and its components from a known set of artefacts

Get Involved

Coming soon for now either comment on the Google Sheet or join Slack and then jump into the #project-pscf

Call for Sponsors

The PSCF would not have been possible without the project’s sponsors and supporters.

Project Sponsors & Supporters

Quality Control

PSCF-QC-CST: Component Security Testing

The capability to analyse products for security issues in source code and included libraries

PSCF-QC-EST: Exploratory Security Testing

The capability to analyse products for security issues in running systems

PSCF-QC-SDM: Security Defect Management

The capability to evaluate findings from security checks through to resolution

Operational Visibility

PSCF-OV-EM: Environment Management

The capability to apply secure system configurations and evaluate any that change

PSCF-OV-ID: Incident Detection

The capability to analyse product events and evaluate them for those that indicate a security incident

PSCF-OV-IR: Incident Response

The capability to apply appropriate responses to identified security incidents

Watch Star