Export to Checklist populates too many CCIs based on NIST Tag

mitre / heimdall2

Heimdall Enterprise Server 2 lets you view, store, and compare automated security control scan results.

Other

208 stars 59 forks source link

Export to Checklist populates too many CCIs based on NIST Tag #6359

Open ejaronne opened 2 weeks ago

ejaronne commented 2 weeks ago

To re-create:

On https://heimdall-lite.mitre.org/ load OWASP ZAP Webgoat sample. Export to checklist. Load that file also into Heimdall:

The Export takes SC-8 and instead of looking up only SC-8 or SC-8 a, b, c partials, inadvertently and incorrectly grabs control enhancements such as SC-8 (1), SC-8 (2), etc.

We need to enhance the algorithm to be more precise. Adding so many controls will confuse and stress users.

aaronlippold commented 2 weeks ago

And why doesn't the control above it? Have a CCI as well

aaronlippold commented 2 weeks ago

The number of CCI should never exceeded the number of 853 controls