owaspsamm / core

Core model including reused documentation
Creative Commons Attribution Share Alike 4.0 International
88 stars 38 forks source link

Potential confusion around Build Process checks and Scalable Baseline #21

Open derweiser opened 3 years ago

derweiser commented 3 years ago

The following section Implementation/Secure Build/Build Process (Maturity Level 2) has the following line "Finally, add appropriate automated security checks (e.g. using SAST tools) in the pipeline to leverage the automation for security benefit."

To me this seems unclear compared to the requirement for Scalable Baseline (Maturity Level 1) which states "Use automated static and dynamic security test tools for software, resulting in more efficient security testing and higher quality results."

My recommendation would be to remove the line in the Build Process entirely. I don't believe this would lessen the key takeaway for Build Process i.e. "maintain the integrity of the build process", and avoid confusion as to where you are scoring the use of SAST in the pipeline.

Thanks for considering this issue.

Nathan

23bartman commented 7 months ago

This was discussed in the BE summit and we are clarifying the overlap between Build Process and Scalable baseline. We will keep the suggestion to use SAST in the Build Process security practice (it's not a quality criteria currently), but we will reformulate the use of build and deploy pipelines in Scalable Baseline to focus on automation rather than on the pipelines itself.