forked from mitre/mitre-saf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathresources.json
102 lines (102 loc) · 5.6 KB
/
resources.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
{
"items": [
{
"name": "Overview",
"tag": "overview",
"desc": "See here for a one-page overview of how to use the MITRE SAF to help developers, assessors, and operations teams automate security in their current processes.",
"values" : [
{
"name" : "How To Use The MITRE SAF",
"desc" : "",
"download_link" : "How to Use the MITRE SAF.pdf"
}
]
},
{
"name": "SAF Tooling at a Glance",
"tag": "tools",
"desc": "The SAF is a framework, not one tool. So, to figure out what tools you need in your environment, take a look at this diagram. The SAF helps piece all of this together. For more information getting tools into your environment look more at InSpec, SAF CLI, and Heimdall.",
"image": {
"file": "SAF_Tools_Security_Validation.png",
"alt": "The SAF consists of five pillars: 'Plan', 'Harden', 'Validate', 'Normalize', and 'Visualize'. Under 'Plan', you can use Vulcan to develop implementation specific guidance from more general guides (like STIGs from SRGs) or choose to use pre-existing guidance like DISA STIGs, CIS Benchmarks, or Vendor Security Checklists. Under 'Harden', you can use infrastructure-as-code or configuration management software like Ansible, Progress Chef, Puppet, or Terraform - many scripts are already created and available for use. Under 'Validate', you can use the SAF CLI to generate InSpec profiles stubs that can then be refined manually. Once you have created those profiles or found the many profiles already created and available for use, you can use InSpec to generate Heimdall Data Format (HDF) output via the JSON reporter. You can also use various other 3rd party tools to get scan results. Under 'Normalize', you can take the results of those 3rd party scans and convert them into HDF via the SAF CLI. Under 'Visualize', you can view HDF within Heimdall. You can also use the SAF CLI to generate and view other information such as how the results compare against previously generated thresholds. Additionally, you can view scan results in other applications after conversion and upload by the SAF CLI or Emasser."
}
},
{
"name": "Mature DevSecOps Best Practices",
"tag": "dso",
"desc": "DevSecOps is a software development framework that stresses automation and rapid user feedback to deliver quality, secure software quickly. A DevSecOps pipeline is a collection of tools and practices that can automate as much of development as possible, from testing to change management to deployment.",
"values" : [
{
"name" : "DevSecOps Best Practices Guide",
"desc" : "",
"download_link" : "DevSecOps_Best_Practices_Guide_01262020.pdf"
}
]
},
{
"name": "InSpec",
"tag" : "inspec",
"desc": "InSpec is a free and open-source Chef framework for testing and auditing applications and infrastructure. InSpec is designed to integrate very easily into existing DevOps pipelines. MITRE has partnered with the open-source community to create a growing number of baseline testing profiles to make it easy for developers to jump right in.",
"values": [
{
"name": "InSpec Documentation",
"desc": "InSpec's main webpage containing all written documentation and walkthroughs of the tool",
"link": "https://www.inspec.io/docs/"
},
{
"name": "InSpec Profile Resources Reference",
"desc": "List of the existing systems InSpec available for the user to search through (known as InSpec \"resources\")",
"link": "https://www.inspec.io/docs/reference/resources/"
},
{
"name": "Introduction to InSpec Video Courses",
"desc": "Video tutorials demonstrating and explaining how InSpec operates",
"link": "https://www.youtube.com/playlist?list=PLSZbtIlMt5rcbXOpMRucKzRMXR7HX7awy"
},
{
"name": "InSpec Profile Developers Course",
"desc": "Reviews the basics on how to write and run tests",
"link": "https://mitre-inspec-developer.netlify.com/"
},
{
"name": "InSpec Advanced Developer Course",
"desc": "In depth explaination of some of the higher functionalities provided by InSpec",
"link": "https://mitre-inspec-advanced-developer.netlify.com/"
},
{
"name": "SAF CLI",
"desc": "Guide to installation of SAF CLI",
"link": "https://saf-cli.mitre.org/"
}
]
},
{
"name": "How is InSpec deployed?",
"tag": "deploy",
"desc": "It is intended and recommended that InSpec be installed on a \"runner\" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) and run against the target remotely. However, InSpec may be deployed in various ways depending on the needs of the user:",
"image": "inspec-runner.png"
}
],
"videos": [
{
"name": "Inspec: Human Readable, Automated Compliance",
"link": "https://www.youtube.com/embed/IaUjpJ5SUAA"
},
{
"name": "Inspec: Human Readable, Automated Compliance",
"link": "https://www.youtube.com/embed/IaUjpJ5SUAA"
},
{
"name": "Inspec: Human Readable, Automated Compliance",
"link": "https://www.youtube.com/embed/IaUjpJ5SUAA"
},
{
"name": "Inspec: Human Readable, Automated Compliance",
"link": "https://www.youtube.com/embed/IaUjpJ5SUAA"
},
{
"name": "Inspec: Human Readable, Automated Compliance",
"link": "https://www.youtube.com/embed/IaUjpJ5SUAA"
}
]
}