bmt 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bmt/version.rb +1 -1
  3. metadata +3 -12
  4. data/lib/data/0.1/mappings/templates.json +0 -17
  5. data/lib/data/0.1/mappings/templates.schema.json +0 -62
  6. data/lib/data/0.1/methodologies/binaries.json +0 -252
  7. data/lib/data/0.1/methodologies/mobile_android.json +0 -514
  8. data/lib/data/0.1/methodologies/mobile_ios.json +0 -452
  9. data/lib/data/0.1/methodologies/network.json +0 -207
  10. data/lib/data/0.1/methodologies/template.json +0 -83
  11. data/lib/data/0.1/methodologies/website_testing.json +0 -886
  12. data/lib/data/0.1/schema.json +0 -124
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 54db582c2fa9dee7782d78679c394a81bd58be62c19a543dcf2f343b48f9acd9
4
- data.tar.gz: c2c95ae74e58f7025f7a9a1e3f39238e83a5350c8f1bee875f407e9bf4d435c5
3
+ metadata.gz: c8f63d37d7567b8009bd97b4f4762bf12ed9561419e33aaf8aff1a5be7886b95
4
+ data.tar.gz: 59384b86157f6b45ddd2528510759c08c9afe7b794a420416bfb0b9066e5862f
5
5
  SHA512:
6
- metadata.gz: 3a8a16cb4896e1b004f69790782a3a89eb294ac42b87821fca2664bc6823acfd9ec83cbcfa4c8dbbceb556ffecb35919a6a671a542419eb3d5bcf368b0f74aa4
7
- data.tar.gz: c0de897ad4c9bcf04412fee1035eb108b9f2f905b16616df7c0c316c981e473744df0475e3245cb207ee9ed826798e32e755a427d253a4251995077dd7183eda
6
+ metadata.gz: 56460d63293b10510e4b0ef5dd7bc08bdfad20fa26234b3550a74bb6e490029e66836d751c2d83e0c0a6d670b7c2310a131351247a12ed2e17c074c86d9cd392
7
+ data.tar.gz: 0b4386393e5970030151df3a432d9a5efbbe8466b12e147035318f8a6963545b5f836f948127414e0695dc9740c281d04dcedaa3f43ca90752166717772ede73
data/lib/bmt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Bmt
2
- VERSION = '0.4.0'.freeze
2
+ VERSION = '0.5.0'.freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bmt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Federico Tagliabue
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-23 00:00:00.000000000 Z
11
+ date: 2023-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -92,15 +92,6 @@ files:
92
92
  - lib/bmt/methodology.rb
93
93
  - lib/bmt/step.rb
94
94
  - lib/bmt/version.rb
95
- - lib/data/0.1/mappings/templates.json
96
- - lib/data/0.1/mappings/templates.schema.json
97
- - lib/data/0.1/methodologies/binaries.json
98
- - lib/data/0.1/methodologies/mobile_android.json
99
- - lib/data/0.1/methodologies/mobile_ios.json
100
- - lib/data/0.1/methodologies/network.json
101
- - lib/data/0.1/methodologies/template.json
102
- - lib/data/0.1/methodologies/website_testing.json
103
- - lib/data/0.1/schema.json
104
95
  homepage: https://github.com/bugcrowd/bmt-ruby
105
96
  licenses:
106
97
  - MIT
@@ -124,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
124
115
  - !ruby/object:Gem::Version
125
116
  version: '0'
126
117
  requirements: []
127
- rubygems_version: 3.1.4
118
+ rubygems_version: 3.1.6
128
119
  signing_key:
129
120
  specification_version: 4
130
121
  summary: Ruby wrapper for Bugcrowd's Methodology Taxonomy
data/lib/data/0.1/mappings/templates.json DELETED
@@ -1,17 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "Methodology Taxonomy Template Mapping"
4
- },
5
- "content": [
6
- {
7
- "methodology": "website_testing",
8
- "children": [
9
- {
10
- "key": "information",
11
- "attribute": "notes",
12
- "template": "information.md"
13
- }
14
- ]
15
- }
16
- ]
17
- }
data/lib/data/0.1/mappings/templates.schema.json DELETED
@@ -1,62 +0,0 @@
1
- {
2
- "$schema": "http://json-schema.org/draft-07/schema#",
3
- "title": "Methodology Taxonomy Mapping",
4
- "description": "Mapping to methodology taxonomy",
5
- "definitions": {
6
- "MappingMetadata": {
7
- "type": "object",
8
- "properties": {
9
- "title": {
10
- "type": "string",
11
- "pattern": "^[ a-zA-Z0-9\\-+()\/,.<]*$"
12
- }
13
- },
14
- "required": ["title"]
15
- },
16
- "BMTKey": { "type": "string", "pattern": "^[a-z_]*$" },
17
- "Attribute": { "type": "string", "pattern": "^[a-z_]*$" },
18
- "Template": { "type": "string", "pattern": "[a-z_.]*$" },
19
- "Mapping": {
20
- "type": "object",
21
- "properties": {
22
- "key": { "$ref": "#/definitions/BMTKey" },
23
- "attribute": { "$ref": "#/definitions/Attribute" },
24
- "template" : { "$ref": "#/definitions/Template" }
25
- },
26
- "required": ["key", "attribute", "template"],
27
- "additionalProperties": false
28
- },
29
- "MappingParent": {
30
- "type": "object",
31
- "properties": {
32
- "methodology": { "$ref": "#/definitions/BMTKey" },
33
- "children": {
34
- "type": "array",
35
- "items" : {
36
- "anyOf": [
37
- { "$ref": "#/definitions/Mapping" }
38
- ]
39
- }
40
- }
41
- },
42
- "required": ["methodology", "children"],
43
- "additionalProperties": false
44
- }
45
- },
46
- "type": "object",
47
- "required": ["metadata", "content"],
48
- "properties": {
49
- "metadata": {
50
- "$ref": "#/definitions/MappingMetadata"
51
- },
52
- "content": {
53
- "type": "array",
54
- "items" : {
55
- "anyOf": [
56
- { "$ref": "#/definitions/MappingParent" },
57
- { "$ref": "#/definitions/Mapping" }
58
- ]
59
- }
60
- }
61
- }
62
- }
data/lib/data/0.1/methodologies/binaries.json DELETED
@@ -1,252 +0,0 @@
1
- {
2
- "metadata": {
3
- "title": "Binary",
4
- "release_date": "2022-01-10T00:00:00+00:00",
5
- "description": "Bugcrowd Binary testing methodology",
6
- "vrt_version": "10.0.1"
7
- },
8
- "content": {
9
- "steps": [
10
- {
11
- "key": "insufficient_authentication_authorization",
12
- "title": "Insufficient Authentication/Authorization",
13
- "description": "",
14
- "type": "checklist",
15
- "items": [
16
- {
17
- "description": "",
18
- "key": "multi_user_environment",
19
- "caption": "",
20
- "title": "Assess the application for multi-user environments and ensure it includes functionality for role separation."
21
- },
22
- {
23
- "description": "",
24
- "key": "password_recovery_mechanism",
25
- "caption": "",
26
- "title": "Assess password recovery mechanisms and ensure session management is properly maintained/terminated at the remote endpoint."
27
- }
28
- ]
29
- },
30
- {
31
- "key": "insecure_network_services",
32
- "title": "Insecure Network Services",
33
- "description": "",
34
- "type": "checklist",
35
- "items": [
36
- {
37
- "description": "",
38
- "key": "ensure_network_services",
39
- "caption": "",
40
- "title": "Assess the application to ensure network services for potentially interesting crashes or denial-of-service conditions that might indicate the presence of a memory corruption issue."
41
- },
42
- {
43
- "description": "",
44
- "key": "ensure_debugging_services",
45
- "caption": "",
46
- "title": "Assess the application to ensure debugging services are not present (and if present, test those services for access controls/default credentials)."
47
- }
48
- ]
49
- },
50
- {
51
- "key": "lack_of_transport_encryption",
52
- "title": "Lack of Transport Encryption",
53
- "description": "",
54
- "type": "checklist",
55
- "items": [
56
- {
57
- "description": "",
58
- "key": "assess_encrypted_communication",
59
- "caption": "",
60
- "title": "Assess the application to determine the use of modern encrypted communication between endpoints."
61
- },
62
- {
63
- "description": "",
64
- "key": "assess_encrypted_practice",
65
- "caption": "",
66
- "title": "Assess the application to determine if accepted encryption practices are used."
67
- }
68
- ]
69
- },
70
- {
71
- "key": "privacy_concerns",
72
- "title": "Privacy Concerns",
73
- "description": "",
74
- "type": "checklist",
75
- "items": [
76
- {
77
- "description": "",
78
- "key": "assess_personal_information_collected",
79
- "caption": "",
80
- "title": "Assess the application to determine the amount of personal information collected."
81
- },
82
- {
83
- "description": "",
84
- "key": "assess_personal_data_encryption",
85
- "caption": "",
86
- "title": "Assess the application to determine if collected personal data is properly protected using encryption at rest and in transit."
87
- },
88
- {
89
- "description": "",
90
- "key": "assess_data_de_identified_or_anonymized",
91
- "caption": "",
92
- "title": "Assess the application to determine if data is de-identified or anonymized."
93
- },
94
- {
95
- "description": "",
96
- "key": "no_sesitive_data",
97
- "caption": "",
98
- "title": "No sensitive data, such as passwords or pins, are exposed through the user interface."
99
- },
100
- {
101
- "description": "",
102
- "key": "no_sensitive_log_info",
103
- "caption": "",
104
- "title": "No sensitive information is contained in logs generated by the application."
105
- },
106
- {
107
- "description": "",
108
- "key": "assess_personal_info_sending_to_remote_location",
109
- "caption": "",
110
- "title": "Assess whether the application sends personal/identifying information to a remote location even though it is only required for local use."
111
- }
112
- ]
113
- },
114
- {
115
- "key": "insecure_cloud_interface",
116
- "title": "Insecure Cloud Interface (where applicable)",
117
- "description": "",
118
- "type": "checklist",
119
- "items": [
120
- {
121
- "description": "",
122
- "key": "assess_cloud_for_security_vulnerability",
123
- "caption": "",
124
- "title": "Assess the cloud interfaces for security vulnerabilities (e.g.testing both API interfaces and cloud-based web interfaces for common (and uncommon) web application issues)."
125
- },
126
- {
127
- "description": "",
128
- "key": "assess_secure_transport_in_cloud",
129
- "caption": "",
130
- "title": "Assess all cloud interfaces to ensure secure transport encryption is used."
131
- }
132
- ]
133
- },
134
- {
135
- "key": "insecure_software_firmware",
136
- "title": "Insecure Software/Firmware",
137
- "description": "",
138
- "type": "checklist",
139
- "items": [
140
- {
141
- "description": "",
142
- "key": "assess_application_update_capability",
143
- "caption": "",
144
- "title": "Assess the application to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered."
145
- },
146
- {
147
- "description": "",
148
- "key": "assess_encrypted_file_transfer",
149
- "caption": "",
150
- "title": "Assess the application to ensure it uses encrypted update files and that the files are transmitted using encryption."
151
- },
152
- {
153
- "description": "",
154
- "key": "assess_signed_files",
155
- "caption": "",
156
- "title": "Assess the application to ensure it uses signed files and then validates those files before installation."
157
- },
158
- {
159
- "description": "",
160
- "key": "assess_insecure_function_calls",
161
- "caption": "",
162
- "title": "Assess the application for insecure/dangerous function calls."
163
- },
164
- {
165
- "description": "",
166
- "key": "assess_user_input_sanitization",
167
- "caption": "",
168
- "title": "Assess the application to ensure ensure all user-controllable input data is sanitized prior to use."
169
- },
170
- {
171
- "description": "",
172
- "key": "ensure_all_third_party_components",
173
- "caption": "",
174
- "title": "Ensure all third party components used by the application, such as libraries and frameworks, are identified, and checked for known vulnerabilities."
175
- },
176
- {
177
- "description": "",
178
- "key": "assess_hardcoded_sensitive_info",
179
- "caption": "",
180
- "title": "Assess the application for signs of hardcoded sensitive information - e.g. credentials, URLs, API keys, etc."
181
- },
182
- {
183
- "description": "",
184
- "key": "assess_secure_random_number_generator",
185
- "caption": "",
186
- "title": "Assess the application to ensure all random values are generated using a sufficiently secure random number generator."
187
- },
188
- {
189
- "description": "",
190
- "key": "assess_input_via_dynamic_testing",
191
- "caption": "",
192
- "title": "Assess inputs on the application via dynamic testing (e.g. fuzzing) to identify potentially interesting crashes or denial-of-service conditions that might suggest the presence of a memory corruption or command injection issue."
193
- },
194
- {
195
- "description": "",
196
- "key": "assess_misconfigured_permission",
197
- "caption": "",
198
- "title": "Assess the application for misconfigured permissions, allowing for the escalation of privileges (e.g. DLL spoofing/hijacking, etc)."
199
- },
200
- {
201
- "description": "",
202
- "key": "assess_minimal_permissions",
203
- "caption": "",
204
- "title": "Assess the application to ensure it only uses the minimum set of permissions necessary."
205
- },
206
- {
207
- "description": "",
208
- "key": "assess_object_deserialization",
209
- "caption": "",
210
- "title": "Assess the application for unsafe object deserialization behavior that might lead to command injection."
211
- },
212
- {
213
- "description": "",
214
- "key": "assess_compiler_os_exploit_mitigation",
215
- "caption": "",
216
- "title": "Assess the application to ensure Basic OS/compiler exploit mitigation features, such stack protection/exploit mitigation (DEP, ASLR, stack canaries, etc) are activated."
217
- },
218
- {
219
- "description": "",
220
- "key": "assess_authentication_bypass",
221
- "caption": "",
222
- "title": "Assess the application for authentication bypasses and backdoors, allowing for access to functions/features outside of intended-use flows."
223
- },
224
- {
225
- "description": "",
226
- "key": "assess_application_for_internal_use",
227
- "caption": "",
228
- "title": "Assess the application for ability to access/use components meant for internal or administrative use (e.g. leftover debugging functionality not intended to exist in production)."
229
- },
230
- {
231
- "description": "",
232
- "key": "assess_for_undocumented_api_endpoints",
233
- "caption": "",
234
- "title": "Assess the application for undocumented API endpoints, and assess those for common vulnerabilities, as well as authentication bypasses."
235
- }
236
- ]
237
- },
238
- {
239
- "key": "upload_logs",
240
- "title": "Upload logs",
241
- "description": "This should include all associated traffic associated to the in-scope targets.",
242
- "type": "large_upload"
243
- },
244
- {
245
- "key": "executive_summary",
246
- "title": "Executive summary",
247
- "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
248
- "type": "executive_summary"
249
- }
250
- ]
251
- }
252
- }