bmt 0.4.0 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. metadata +3 -12
  4. data/lib/data/0.1/mappings/templates.json +0 -17
  5. data/lib/data/0.1/mappings/templates.schema.json +0 -62
  6. data/lib/data/0.1/methodologies/binaries.json +0 -252
  7. data/lib/data/0.1/methodologies/mobile_android.json +0 -514
  8. data/lib/data/0.1/methodologies/mobile_ios.json +0 -452
  9. data/lib/data/0.1/methodologies/network.json +0 -207
  10. data/lib/data/0.1/methodologies/template.json +0 -83
  11. data/lib/data/0.1/methodologies/website_testing.json +0 -886
  12. data/lib/data/0.1/schema.json +0 -124
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 54db582c2fa9dee7782d78679c394a81bd58be62c19a543dcf2f343b48f9acd9
4
- data.tar.gz: c2c95ae74e58f7025f7a9a1e3f39238e83a5350c8f1bee875f407e9bf4d435c5
3
+ metadata.gz: c8f63d37d7567b8009bd97b4f4762bf12ed9561419e33aaf8aff1a5be7886b95
4
+ data.tar.gz: 59384b86157f6b45ddd2528510759c08c9afe7b794a420416bfb0b9066e5862f
5
5
  SHA512:
6
- metadata.gz: 3a8a16cb4896e1b004f69790782a3a89eb294ac42b87821fca2664bc6823acfd9ec83cbcfa4c8dbbceb556ffecb35919a6a671a542419eb3d5bcf368b0f74aa4
7
- data.tar.gz: c0de897ad4c9bcf04412fee1035eb108b9f2f905b16616df7c0c316c981e473744df0475e3245cb207ee9ed826798e32e755a427d253a4251995077dd7183eda
6
+ metadata.gz: 56460d63293b10510e4b0ef5dd7bc08bdfad20fa26234b3550a74bb6e490029e66836d751c2d83e0c0a6d670b7c2310a131351247a12ed2e17c074c86d9cd392
7
+ data.tar.gz: 0b4386393e5970030151df3a432d9a5efbbe8466b12e147035318f8a6963545b5f836f948127414e0695dc9740c281d04dcedaa3f43ca90752166717772ede73
data/lib/bmt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Bmt
2
- VERSION = '0.4.0'.freeze
2
+ VERSION = '0.5.0'.freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bmt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Federico Tagliabue
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-23 00:00:00.000000000 Z
11
+ date: 2023-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -92,15 +92,6 @@ files:
92
92
  - lib/bmt/methodology.rb
93
93
  - lib/bmt/step.rb
94
94
  - lib/bmt/version.rb
95
- - lib/data/0.1/mappings/templates.json
96
- - lib/data/0.1/mappings/templates.schema.json
97
- - lib/data/0.1/methodologies/binaries.json
98
- - lib/data/0.1/methodologies/mobile_android.json
99
- - lib/data/0.1/methodologies/mobile_ios.json
100
- - lib/data/0.1/methodologies/network.json
101
- - lib/data/0.1/methodologies/template.json
102
- - lib/data/0.1/methodologies/website_testing.json
103
- - lib/data/0.1/schema.json
104
95
  homepage: https://github.com/bugcrowd/bmt-ruby
105
96
  licenses:
106
97
  - MIT
@@ -124,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
124
115
  - !ruby/object:Gem::Version
125
116
  version: '0'
126
117
  requirements: []
127
- rubygems_version: 3.1.4
118
+ rubygems_version: 3.1.6
128
119
  signing_key:
129
120
  specification_version: 4
130
121
  summary: Ruby wrapper for Bugcrowd's Methodology Taxonomy
data/lib/data/0.1/mappings/templates.json DELETED
@@ -1,17 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "Methodology Taxonomy Template Mapping"
4
- },
5
- "content": [
6
- {
7
- "methodology": "website_testing",
8
- "children": [
9
- {
10
- "key": "information",
11
- "attribute": "notes",
12
- "template": "information.md"
13
- }
14
- ]
15
- }
16
- ]
17
- }
data/lib/data/0.1/mappings/templates.schema.json DELETED
@@ -1,62 +0,0 @@
1
- {
2
- "$schema": "http://json-schema.org/draft-07/schema#",
3
- "title": "Methodology Taxonomy Mapping",
4
- "description": "Mapping to methodology taxonomy",
5
- "definitions": {
6
- "MappingMetadata": {
7
- "type": "object",
8
- "properties": {
9
- "title": {
10
- "type": "string",
11
- "pattern": "^[ a-zA-Z0-9\\-+()\/,.<]*$"
12
- }
13
- },
14
- "required": ["title"]
15
- },
16
- "BMTKey": { "type": "string", "pattern": "^[a-z_]*$" },
17
- "Attribute": { "type": "string", "pattern": "^[a-z_]*$" },
18
- "Template": { "type": "string", "pattern": "[a-z_.]*$" },
19
- "Mapping": {
20
- "type": "object",
21
- "properties": {
22
- "key": { "$ref": "#/definitions/BMTKey" },
23
- "attribute": { "$ref": "#/definitions/Attribute" },
24
- "template" : { "$ref": "#/definitions/Template" }
25
- },
26
- "required": ["key", "attribute", "template"],
27
- "additionalProperties": false
28
- },
29
- "MappingParent": {
30
- "type": "object",
31
- "properties": {
32
- "methodology": { "$ref": "#/definitions/BMTKey" },
33
- "children": {
34
- "type": "array",
35
- "items" : {
36
- "anyOf": [
37
- { "$ref": "#/definitions/Mapping" }
38
- ]
39
- }
40
- }
41
- },
42
- "required": ["methodology", "children"],
43
- "additionalProperties": false
44
- }
45
- },
46
- "type": "object",
47
- "required": ["metadata", "content"],
48
- "properties": {
49
- "metadata": {
50
- "$ref": "#/definitions/MappingMetadata"
51
- },
52
- "content": {
53
- "type": "array",
54
- "items" : {
55
- "anyOf": [
56
- { "$ref": "#/definitions/MappingParent" },
57
- { "$ref": "#/definitions/Mapping" }
58
- ]
59
- }
60
- }
61
- }
62
- }
data/lib/data/0.1/methodologies/binaries.json DELETED
@@ -1,252 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "Binary",
4
- "release_date": "2022-01-10T00:00:00+00:00",
5
- "description": "Bugcrowd Binary testing methodology",
6
- "vrt_version": "10.0.1"
7
- },
8
- "content": {
9
- "steps": [
10
- {
11
- "key": "insufficient_authentication_authorization",
12
- "title": "Insufficient Authentication/Authorization",
13
- "description": "",
14
- "type": "checklist",
15
- "items": [
16
- {
17
- "description": "",
18
- "key": "multi_user_environment",
19
- "caption": "",
20
- "title": "Assess the application for multi-user environments and ensure it includes functionality for role separation."
21
- },
22
- {
23
- "description": "",
24
- "key": "password_recovery_mechanism",
25
- "caption": "",
26
- "title": "Assess password recovery mechanisms and ensure session management is properly maintained/terminated at the remote endpoint."
27
- }
28
- ]
29
- },
30
- {
31
- "key": "insecure_network_services",
32
- "title": "Insecure Network Services",
33
- "description": "",
34
- "type": "checklist",
35
- "items": [
36
- {
37
- "description": "",
38
- "key": "ensure_network_services",
39
- "caption": "",
40
- "title": "Assess the application to ensure network services for potentially interesting crashes or denial-of-service conditions that might indicate the presence of a memory corruption issue."
41
- },
42
- {
43
- "description": "",
44
- "key": "ensure_debugging_services",
45
- "caption": "",
46
- "title": "Assess the application to ensure debugging services are not present (and if present, test those services for access controls/default credentials)."
47
- }
48
- ]
49
- },
50
- {
51
- "key": "lack_of_transport_encryption",
52
- "title": "Lack of Transport Encryption",
53
- "description": "",
54
- "type": "checklist",
55
- "items": [
56
- {
57
- "description": "",
58
- "key": "assess_encrypted_communication",
59
- "caption": "",
60
- "title": "Assess the application to determine the use of modern encrypted communication between endpoints."
61
- },
62
- {
63
- "description": "",
64
- "key": "assess_encrypted_practice",
65
- "caption": "",
66
- "title": "Assess the application to determine if accepted encryption practices are used."
67
- }
68
- ]
69
- },
70
- {
71
- "key": "privacy_concerns",
72
- "title": "Privacy Concerns",
73
- "description": "",
74
- "type": "checklist",
75
- "items": [
76
- {
77
- "description": "",
78
- "key": "assess_personal_information_collected",
79
- "caption": "",
80
- "title": "Assess the application to determine the amount of personal information collected."
81
- },
82
- {
83
- "description": "",
84
- "key": "assess_personal_data_encryption",
85
- "caption": "",
86
- "title": "Assess the application to determine if collected personal data is properly protected using encryption at rest and in transit."
87
- },
88
- {
89
- "description": "",
90
- "key": "assess_data_de_identified_or_anonymized",
91
- "caption": "",
92
- "title": "Assess the application to determine if data is de-identified or anonymized."
93
- },
94
- {
95
- "description": "",
96
- "key": "no_sesitive_data",
97
- "caption": "",
98
- "title": "No sensitive data, such as passwords or pins, are exposed through the user interface."
99
- },
100
- {
101
- "description": "",
102
- "key": "no_sensitive_log_info",
103
- "caption": "",
104
- "title": "No sensitive information is contained in logs generated by the application."
105
- },
106
- {
107
- "description": "",
108
- "key": "assess_personal_info_sending_to_remote_location",
109
- "caption": "",
110
- "title": "Assess whether the application sends personal/identifying information to a remote location even though it is only required for local use."
111
- }
112
- ]
113
- },
114
- {
115
- "key": "insecure_cloud_interface",
116
- "title": "Insecure Cloud Interface (where applicable)",
117
- "description": "",
118
- "type": "checklist",
119
- "items": [
120
- {
121
- "description": "",
122
- "key": "assess_cloud_for_security_vulnerability",
123
- "caption": "",
124
- "title": "Assess the cloud interfaces for security vulnerabilities (e.g.testing both API interfaces and cloud-based web interfaces for common (and uncommon) web application issues)."
125
- },
126
- {
127
- "description": "",
128
- "key": "assess_secure_transport_in_cloud",
129
- "caption": "",
130
- "title": "Assess all cloud interfaces to ensure secure transport encryption is used."
131
- }
132
- ]
133
- },
134
- {
135
- "key": "insecure_software_firmware",
136
- "title": "Insecure Software/Firmware",
137
- "description": "",
138
- "type": "checklist",
139
- "items": [
140
- {
141
- "description": "",
142
- "key": "assess_application_update_capability",
143
- "caption": "",
144
- "title": "Assess the application to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered."
145
- },
146
- {
147
- "description": "",
148
- "key": "assess_encrypted_file_transfer",
149
- "caption": "",
150
- "title": "Assess the application to ensure it uses encrypted update files and that the files are transmitted using encryption."
151
- },
152
- {
153
- "description": "",
154
- "key": "assess_signed_files",
155
- "caption": "",
156
- "title": "Assess the application to ensure it uses signed files and then validates those files before installation."
157
- },
158
- {
159
- "description": "",
160
- "key": "assess_insecure_function_calls",
161
- "caption": "",
162
- "title": "Assess the application for insecure/dangerous function calls."
163
- },
164
- {
165
- "description": "",
166
- "key": "assess_user_input_sanitization",
167
- "caption": "",
168
- "title": "Assess the application to ensure ensure all user-controllable input data is sanitized prior to use."
169
- },
170
- {
171
- "description": "",
172
- "key": "ensure_all_third_party_components",
173
- "caption": "",
174
- "title": "Ensure all third party components used by the application, such as libraries and frameworks, are identified, and checked for known vulnerabilities."
175
- },
176
- {
177
- "description": "",
178
- "key": "assess_hardcoded_sensitive_info",
179
- "caption": "",
180
- "title": "Assess the application for signs of hardcoded sensitive information - e.g. credentials, URLs, API keys, etc."
181
- },
182
- {
183
- "description": "",
184
- "key": "assess_secure_random_number_generator",
185
- "caption": "",
186
- "title": "Assess the application to ensure all random values are generated using a sufficiently secure random number generator."
187
- },
188
- {
189
- "description": "",
190
- "key": "assess_input_via_dynamic_testing",
191
- "caption": "",
192
- "title": "Assess inputs on the application via dynamic testing (e.g. fuzzing) to identify potentially interesting crashes or denial-of-service conditions that might suggest the presence of a memory corruption or command injection issue."
193
- },
194
- {
195
- "description": "",
196
- "key": "assess_misconfigured_permission",
197
- "caption": "",
198
- "title": "Assess the application for misconfigured permissions, allowing for the escalation of privileges (e.g. DLL spoofing/hijacking, etc)."
199
- },
200
- {
201
- "description": "",
202
- "key": "assess_minimal_permissions",
203
- "caption": "",
204
- "title": "Assess the application to ensure it only uses the minimum set of permissions necessary."
205
- },
206
- {
207
- "description": "",
208
- "key": "assess_object_deserialization",
209
- "caption": "",
210
- "title": "Assess the application for unsafe object deserialization behavior that might lead to command injection."
211
- },
212
- {
213
- "description": "",
214
- "key": "assess_compiler_os_exploit_mitigation",
215
- "caption": "",
216
- "title": "Assess the application to ensure Basic OS/compiler exploit mitigation features, such stack protection/exploit mitigation (DEP, ASLR, stack canaries, etc) are activated."
217
- },
218
- {
219
- "description": "",
220
- "key": "assess_authentication_bypass",
221
- "caption": "",
222
- "title": "Assess the application for authentication bypasses and backdoors, allowing for access to functions/features outside of intended-use flows."
223
- },
224
- {
225
- "description": "",
226
- "key": "assess_application_for_internal_use",
227
- "caption": "",
228
- "title": "Assess the application for ability to access/use components meant for internal or administrative use (e.g. leftover debugging functionality not intended to exist in production)."
229
- },
230
- {
231
- "description": "",
232
- "key": "assess_for_undocumented_api_endpoints",
233
- "caption": "",
234
- "title": "Assess the application for undocumented API endpoints, and assess those for common vulnerabilities, as well as authentication bypasses."
235
- }
236
- ]
237
- },
238
- {
239
- "key": "upload_logs",
240
- "title": "Upload logs",
241
- "description": "This should include all associated traffic associated to the in-scope targets.",
242
- "type": "large_upload"
243
- },
244
- {
245
- "key": "executive_summary",
246
- "title": "Executive summary",
247
- "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
248
- "type": "executive_summary"
249
- }
250
- ]
251
- }
252
- }