search

risk-redux / risque

NIST SP 800-30, Guide for Conducting Risk Assessments
https://risque.risk-redux.io
4 stars 0 forks source link

Support OSCAL POA&M Export #30

Open xee5ch opened 2 years ago

xee5ch commented 2 years ago

First time caller, long-time listener from oscal.club. Hello! I like this app, but had not noticed this gem in the Risk Redux portfolio until I heard people mention it today. Would you be interested in adding OSCAL POA&M export? Let me know and I can try to dust off my RoR knowledge and chip in, or just cheer from the sidelines, whatever works with this project.

Either way, very nice work!

egyptiankarim commented 2 years ago

Would you be interested in adding OSCAL POA&M export?

Oh! I like that idea! How would you imagine something like that working, exactly, though? Are you thinking it'd be augmenting the "recommendations" we capture as a part of the objects we create in risqué? Or are you thinking more like a totally separate app that can be used to draft up POAMs on their own? I can potentially see either working really well, but the separate app idea feels like a more flexible approach.

xee5ch commented 2 years ago

Oh! I like that idea! How would you imagine something like that working, exactly, though? Are you thinking it'd be augmenting the "recommendations" we capture as a part of the objects we create in risqué? Or are you thinking more like a totally separate app that can be used to draft up POAMs on their own? I can potentially see either working really well, but the separate app idea feels like a more flexible approach.

This is interesting. I was thinking more towards the former. The latter is a big lift (or a significant shift from the current vision of the app), right? Let me play around with the app and get back to you maybe? :-)

xee5ch commented 2 years ago

I'd say one of the bigger issues, after quickly reorienting myself and playing with Risque (love the simplicity in UX and interface, BTW) is OSCAL is systemic and wants to make a POA&M that links back to a Assessment Result (AR), and that AR to an Assessment Plan (AP), and that AP should link back to a SSP describing the system assessed. I think I need to investigate how much "stuff" you can get away with in only in a POA&M if you want and stub out saying "we have UUIDs for those things from another API or tool, I am an expert user" or just leave them blank for now.

Anyway, this is an interesting challenge to explore. I guess I could come up with some ideas and you can tell how reasonable or unreasonable that is for the context of this app?