@blamejs/exceptd-skills 0.12.27 → 0.12.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +3 -0
- package/CHANGELOG.md +22 -0
- package/data/_indexes/_meta.json +22 -19
- package/data/_indexes/activity-feed.json +26 -5
- package/data/_indexes/catalog-summaries.json +3 -3
- package/data/_indexes/chains.json +994 -64
- package/data/_indexes/currency.json +28 -1
- package/data/_indexes/frequency.json +428 -124
- package/data/_indexes/handoff-dag.json +70 -19
- package/data/_indexes/jurisdiction-map.json +37 -12
- package/data/_indexes/section-offsets.json +282 -0
- package/data/_indexes/stale-content.json +2 -2
- package/data/_indexes/summary-cards.json +198 -0
- package/data/_indexes/token-budget.json +168 -3
- package/data/_indexes/trigger-table.json +190 -0
- package/data/_indexes/xref.json +145 -2
- package/data/attack-techniques.json +104 -19
- package/data/framework-control-gaps.json +498 -11
- package/data/playbooks/cloud-iam-incident.json +1351 -0
- package/data/playbooks/idp-incident.json +1259 -0
- package/data/playbooks/ransomware.json +1407 -0
- package/data/rfc-references.json +44 -0
- package/manifest-snapshot.json +219 -2
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +282 -41
- package/package.json +1 -1
- package/sbom.cdx.json +7 -7
- package/skills/cloud-iam-incident/skill.md +419 -0
- package/skills/idp-incident-response/skill.md +352 -0
- package/skills/ransomware-response/skill.md +374 -0
|
@@ -3609,9 +3609,11 @@
|
|
|
3609
3609
|
"attack-surface-pentest",
|
|
3610
3610
|
"identity-assurance",
|
|
3611
3611
|
"webapp-security",
|
|
3612
|
-
"container-runtime-security"
|
|
3612
|
+
"container-runtime-security",
|
|
3613
|
+
"cloud-iam-incident",
|
|
3614
|
+
"idp-incident-response"
|
|
3613
3615
|
],
|
|
3614
|
-
"skill_count":
|
|
3616
|
+
"skill_count": 6,
|
|
3615
3617
|
"chain": {
|
|
3616
3618
|
"atlas": [
|
|
3617
3619
|
{
|
|
@@ -3634,15 +3636,58 @@
|
|
|
3634
3636
|
"T1059",
|
|
3635
3637
|
"T1068",
|
|
3636
3638
|
"T1078",
|
|
3639
|
+
"T1078.004",
|
|
3640
|
+
"T1098.001",
|
|
3637
3641
|
"T1110",
|
|
3638
3642
|
"T1133",
|
|
3639
3643
|
"T1190",
|
|
3644
|
+
"T1199",
|
|
3640
3645
|
"T1505",
|
|
3646
|
+
"T1538",
|
|
3647
|
+
"T1552.005",
|
|
3641
3648
|
"T1556",
|
|
3649
|
+
"T1556.007",
|
|
3650
|
+
"T1580",
|
|
3651
|
+
"T1606.002",
|
|
3642
3652
|
"T1610",
|
|
3643
3653
|
"T1611"
|
|
3644
3654
|
],
|
|
3645
3655
|
"framework_gaps": [
|
|
3656
|
+
{
|
|
3657
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
3658
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
3659
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
3660
|
+
},
|
|
3661
|
+
{
|
|
3662
|
+
"id": "AU-ISM-1559-IdP",
|
|
3663
|
+
"framework": "AU ISM",
|
|
3664
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
3665
|
+
},
|
|
3666
|
+
{
|
|
3667
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
3668
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
3669
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
3670
|
+
},
|
|
3671
|
+
{
|
|
3672
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
3673
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
3674
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
3675
|
+
},
|
|
3676
|
+
{
|
|
3677
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
3678
|
+
"framework": "EU DORA",
|
|
3679
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
3680
|
+
},
|
|
3681
|
+
{
|
|
3682
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
3683
|
+
"framework": "FedRAMP (US)",
|
|
3684
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
3685
|
+
},
|
|
3686
|
+
{
|
|
3687
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
3688
|
+
"framework": "ISO/IEC 27001:2022",
|
|
3689
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
3690
|
+
},
|
|
3646
3691
|
{
|
|
3647
3692
|
"id": "ISO-27001-2022-A.8.28",
|
|
3648
3693
|
"framework": "ISO/IEC 27001:2022",
|
|
@@ -3653,6 +3698,16 @@
|
|
|
3653
3698
|
"framework": "ISO/IEC 27001:2022",
|
|
3654
3699
|
"control_name": "Outsourced development"
|
|
3655
3700
|
},
|
|
3701
|
+
{
|
|
3702
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
3703
|
+
"framework": "ISO/IEC 27017:2015",
|
|
3704
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
3705
|
+
},
|
|
3706
|
+
{
|
|
3707
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
3708
|
+
"framework": "EU NIS2 Directive",
|
|
3709
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
3710
|
+
},
|
|
3656
3711
|
{
|
|
3657
3712
|
"id": "NIS2-Art21-patch-management",
|
|
3658
3713
|
"framework": "EU NIS2 Directive",
|
|
@@ -3673,16 +3728,31 @@
|
|
|
3673
3728
|
"framework": "NIST SP 800-53 Rev 5",
|
|
3674
3729
|
"control_name": "Account Management"
|
|
3675
3730
|
},
|
|
3731
|
+
{
|
|
3732
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
3733
|
+
"framework": "NIST 800-53 Rev 5",
|
|
3734
|
+
"control_name": "Account Management"
|
|
3735
|
+
},
|
|
3676
3736
|
{
|
|
3677
3737
|
"id": "NIST-800-53-CM-7",
|
|
3678
3738
|
"framework": "NIST SP 800-53 Rev 5",
|
|
3679
3739
|
"control_name": "Least Functionality"
|
|
3680
3740
|
},
|
|
3741
|
+
{
|
|
3742
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
3743
|
+
"framework": "NIST 800-53 Rev.5",
|
|
3744
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
3745
|
+
},
|
|
3681
3746
|
{
|
|
3682
3747
|
"id": "NIST-800-63B-rev4",
|
|
3683
3748
|
"framework": "NIST SP 800-63B Rev 4 (Digital Identity Guidelines — Authentication & Lifecycle Mgmt)",
|
|
3684
3749
|
"control_name": "Authentication and Lifecycle Management (AAL/IAL/FAL)"
|
|
3685
3750
|
},
|
|
3751
|
+
{
|
|
3752
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
3753
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
3754
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
3755
|
+
},
|
|
3686
3756
|
{
|
|
3687
3757
|
"id": "OWASP-ASVS-v5.0-V14",
|
|
3688
3758
|
"framework": "OWASP ASVS v5.0",
|
|
@@ -3713,13 +3783,43 @@
|
|
|
3713
3783
|
"framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
|
|
3714
3784
|
"control_name": "Hardened build platform with non-falsifiable provenance"
|
|
3715
3785
|
},
|
|
3786
|
+
{
|
|
3787
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
3788
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
3789
|
+
"control_name": "Logical Access Controls"
|
|
3790
|
+
},
|
|
3791
|
+
{
|
|
3792
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
3793
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3794
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
3795
|
+
},
|
|
3716
3796
|
{
|
|
3717
3797
|
"id": "SOC2-CC6-logical-access",
|
|
3718
3798
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3719
3799
|
"control_name": "Logical and Physical Access Controls"
|
|
3800
|
+
},
|
|
3801
|
+
{
|
|
3802
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
3803
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
3804
|
+
"control_name": "Identity and Access Control"
|
|
3805
|
+
},
|
|
3806
|
+
{
|
|
3807
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
3808
|
+
"framework": "UK NCSC CAF",
|
|
3809
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
3720
3810
|
}
|
|
3721
3811
|
],
|
|
3722
3812
|
"d3fend": [
|
|
3813
|
+
{
|
|
3814
|
+
"id": "D3-CAA",
|
|
3815
|
+
"name": "Credential Access Auditing",
|
|
3816
|
+
"tactic": "Detect"
|
|
3817
|
+
},
|
|
3818
|
+
{
|
|
3819
|
+
"id": "D3-CBAN",
|
|
3820
|
+
"name": "Certificate-based Authentication",
|
|
3821
|
+
"tactic": "Harden"
|
|
3822
|
+
},
|
|
3723
3823
|
{
|
|
3724
3824
|
"id": "D3-CSPP",
|
|
3725
3825
|
"name": "Client-server Payload Profiling",
|
|
@@ -3730,6 +3830,16 @@
|
|
|
3730
3830
|
"name": "Executable Allowlisting",
|
|
3731
3831
|
"tactic": "Harden"
|
|
3732
3832
|
},
|
|
3833
|
+
{
|
|
3834
|
+
"id": "D3-IOPR",
|
|
3835
|
+
"name": "Input/Output Profiling Resource",
|
|
3836
|
+
"tactic": "Detect"
|
|
3837
|
+
},
|
|
3838
|
+
{
|
|
3839
|
+
"id": "D3-MFA",
|
|
3840
|
+
"name": "Multi-factor Authentication",
|
|
3841
|
+
"tactic": "Harden"
|
|
3842
|
+
},
|
|
3733
3843
|
{
|
|
3734
3844
|
"id": "D3-NTA",
|
|
3735
3845
|
"name": "Network Traffic Analysis",
|
|
@@ -3747,6 +3857,11 @@
|
|
|
3747
3857
|
"title": "JSON Web Token (JWT)",
|
|
3748
3858
|
"status": "Proposed Standard"
|
|
3749
3859
|
},
|
|
3860
|
+
{
|
|
3861
|
+
"id": "RFC-7591",
|
|
3862
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
3863
|
+
"status": "Proposed Standard"
|
|
3864
|
+
},
|
|
3750
3865
|
{
|
|
3751
3866
|
"id": "RFC-8032",
|
|
3752
3867
|
"title": "Edwards-Curve Digital Signature Algorithm (EdDSA)",
|
|
@@ -3757,16 +3872,31 @@
|
|
|
3757
3872
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
3758
3873
|
"status": "Proposed Standard"
|
|
3759
3874
|
},
|
|
3875
|
+
{
|
|
3876
|
+
"id": "RFC-8693",
|
|
3877
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
3878
|
+
"status": "Proposed Standard"
|
|
3879
|
+
},
|
|
3760
3880
|
{
|
|
3761
3881
|
"id": "RFC-8725",
|
|
3762
3882
|
"title": "JSON Web Token Best Current Practices",
|
|
3763
3883
|
"status": "Best Current Practice"
|
|
3764
3884
|
},
|
|
3885
|
+
{
|
|
3886
|
+
"id": "RFC-9068",
|
|
3887
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
3888
|
+
"status": "Proposed Standard"
|
|
3889
|
+
},
|
|
3765
3890
|
{
|
|
3766
3891
|
"id": "RFC-9114",
|
|
3767
3892
|
"title": "HTTP/3",
|
|
3768
3893
|
"status": "Proposed Standard"
|
|
3769
3894
|
},
|
|
3895
|
+
{
|
|
3896
|
+
"id": "RFC-9421",
|
|
3897
|
+
"title": "HTTP Message Signatures",
|
|
3898
|
+
"status": "Proposed Standard"
|
|
3899
|
+
},
|
|
3770
3900
|
{
|
|
3771
3901
|
"id": "RFC-9700",
|
|
3772
3902
|
"title": "Best Current Practice for OAuth 2.0 Security",
|
|
@@ -3783,14 +3913,105 @@
|
|
|
3783
3913
|
"CWE-284": {
|
|
3784
3914
|
"name": "Improper Access Control",
|
|
3785
3915
|
"category": "Access Control",
|
|
3786
|
-
"referencing_skills": [
|
|
3787
|
-
|
|
3916
|
+
"referencing_skills": [
|
|
3917
|
+
"idp-incident-response"
|
|
3918
|
+
],
|
|
3919
|
+
"skill_count": 1,
|
|
3788
3920
|
"chain": {
|
|
3789
3921
|
"atlas": [],
|
|
3790
|
-
"attack_refs": [
|
|
3791
|
-
|
|
3792
|
-
|
|
3793
|
-
|
|
3922
|
+
"attack_refs": [
|
|
3923
|
+
"T1078.004",
|
|
3924
|
+
"T1098.001",
|
|
3925
|
+
"T1199",
|
|
3926
|
+
"T1556.007",
|
|
3927
|
+
"T1606.002"
|
|
3928
|
+
],
|
|
3929
|
+
"framework_gaps": [
|
|
3930
|
+
{
|
|
3931
|
+
"id": "AU-ISM-1559-IdP",
|
|
3932
|
+
"framework": "AU ISM",
|
|
3933
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
3934
|
+
},
|
|
3935
|
+
{
|
|
3936
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
3937
|
+
"framework": "EU DORA",
|
|
3938
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
3939
|
+
},
|
|
3940
|
+
{
|
|
3941
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
3942
|
+
"framework": "ISO/IEC 27001:2022",
|
|
3943
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
3944
|
+
},
|
|
3945
|
+
{
|
|
3946
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
3947
|
+
"framework": "EU NIS2 Directive",
|
|
3948
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
3949
|
+
},
|
|
3950
|
+
{
|
|
3951
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
3952
|
+
"framework": "NIST 800-53 Rev.5",
|
|
3953
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
3954
|
+
},
|
|
3955
|
+
{
|
|
3956
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
3957
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
3958
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
3959
|
+
},
|
|
3960
|
+
{
|
|
3961
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
3962
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3963
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
3964
|
+
},
|
|
3965
|
+
{
|
|
3966
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
3967
|
+
"framework": "UK NCSC CAF",
|
|
3968
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
3969
|
+
}
|
|
3970
|
+
],
|
|
3971
|
+
"d3fend": [
|
|
3972
|
+
{
|
|
3973
|
+
"id": "D3-CBAN",
|
|
3974
|
+
"name": "Certificate-based Authentication",
|
|
3975
|
+
"tactic": "Harden"
|
|
3976
|
+
},
|
|
3977
|
+
{
|
|
3978
|
+
"id": "D3-IOPR",
|
|
3979
|
+
"name": "Input/Output Profiling Resource",
|
|
3980
|
+
"tactic": "Detect"
|
|
3981
|
+
},
|
|
3982
|
+
{
|
|
3983
|
+
"id": "D3-MFA",
|
|
3984
|
+
"name": "Multi-factor Authentication",
|
|
3985
|
+
"tactic": "Harden"
|
|
3986
|
+
},
|
|
3987
|
+
{
|
|
3988
|
+
"id": "D3-NTA",
|
|
3989
|
+
"name": "Network Traffic Analysis",
|
|
3990
|
+
"tactic": "Detect"
|
|
3991
|
+
}
|
|
3992
|
+
],
|
|
3993
|
+
"rfc_refs": [
|
|
3994
|
+
{
|
|
3995
|
+
"id": "RFC-7519",
|
|
3996
|
+
"title": "JSON Web Token (JWT)",
|
|
3997
|
+
"status": "Proposed Standard"
|
|
3998
|
+
},
|
|
3999
|
+
{
|
|
4000
|
+
"id": "RFC-7591",
|
|
4001
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
4002
|
+
"status": "Proposed Standard"
|
|
4003
|
+
},
|
|
4004
|
+
{
|
|
4005
|
+
"id": "RFC-8725",
|
|
4006
|
+
"title": "JSON Web Token Best Current Practices",
|
|
4007
|
+
"status": "Best Current Practice"
|
|
4008
|
+
},
|
|
4009
|
+
{
|
|
4010
|
+
"id": "RFC-9421",
|
|
4011
|
+
"title": "HTTP Message Signatures",
|
|
4012
|
+
"status": "Proposed Standard"
|
|
4013
|
+
}
|
|
4014
|
+
]
|
|
3794
4015
|
},
|
|
3795
4016
|
"related_cves": []
|
|
3796
4017
|
},
|
|
@@ -3807,9 +4028,12 @@
|
|
|
3807
4028
|
"sector-telecom",
|
|
3808
4029
|
"api-security",
|
|
3809
4030
|
"cloud-security",
|
|
3810
|
-
"
|
|
4031
|
+
"ransomware-response",
|
|
4032
|
+
"age-gates-child-safety",
|
|
4033
|
+
"cloud-iam-incident",
|
|
4034
|
+
"idp-incident-response"
|
|
3811
4035
|
],
|
|
3812
|
-
"skill_count":
|
|
4036
|
+
"skill_count": 13,
|
|
3813
4037
|
"chain": {
|
|
3814
4038
|
"atlas": [
|
|
3815
4039
|
{
|
|
@@ -3845,16 +4069,23 @@
|
|
|
3845
4069
|
"T1068",
|
|
3846
4070
|
"T1071",
|
|
3847
4071
|
"T1078",
|
|
4072
|
+
"T1078.004",
|
|
3848
4073
|
"T1098",
|
|
4074
|
+
"T1098.001",
|
|
3849
4075
|
"T1110",
|
|
3850
4076
|
"T1190",
|
|
3851
4077
|
"T1199",
|
|
3852
4078
|
"T1486",
|
|
3853
4079
|
"T1505",
|
|
3854
4080
|
"T1530",
|
|
4081
|
+
"T1538",
|
|
3855
4082
|
"T1552",
|
|
4083
|
+
"T1552.005",
|
|
3856
4084
|
"T1556",
|
|
3857
|
-
"
|
|
4085
|
+
"T1556.007",
|
|
4086
|
+
"T1567",
|
|
4087
|
+
"T1580",
|
|
4088
|
+
"T1606.002"
|
|
3858
4089
|
],
|
|
3859
4090
|
"framework_gaps": [
|
|
3860
4091
|
{
|
|
@@ -3862,16 +4093,51 @@
|
|
|
3862
4093
|
"framework": "3GPP",
|
|
3863
4094
|
"control_name": "3GPP Security Assurance Specification (gNB / eNB)"
|
|
3864
4095
|
},
|
|
4096
|
+
{
|
|
4097
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
4098
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
4099
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
4100
|
+
},
|
|
3865
4101
|
{
|
|
3866
4102
|
"id": "AU-ISM-1556",
|
|
3867
4103
|
"framework": "au-ism",
|
|
3868
4104
|
"control_name": "Multi-factor authentication for privileged users (telecom NMS application)"
|
|
3869
4105
|
},
|
|
4106
|
+
{
|
|
4107
|
+
"id": "AU-ISM-1559-IdP",
|
|
4108
|
+
"framework": "AU ISM",
|
|
4109
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
4110
|
+
},
|
|
4111
|
+
{
|
|
4112
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
4113
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
4114
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
4115
|
+
},
|
|
4116
|
+
{
|
|
4117
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
4118
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
4119
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
4120
|
+
},
|
|
4121
|
+
{
|
|
4122
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
4123
|
+
"framework": "EU DORA",
|
|
4124
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
4125
|
+
},
|
|
3870
4126
|
{
|
|
3871
4127
|
"id": "DORA-Art-21-Telecom-ICT",
|
|
3872
4128
|
"framework": "DORA",
|
|
3873
4129
|
"control_name": "DORA Art. 21 — ICT third-party risk (telecom-adjacent application)"
|
|
3874
4130
|
},
|
|
4131
|
+
{
|
|
4132
|
+
"id": "Decryptor-Availability-Pre-Decision",
|
|
4133
|
+
"framework": "ALL",
|
|
4134
|
+
"control_name": "Decryptor availability lookup as precondition to ransomware pay/restore decision"
|
|
4135
|
+
},
|
|
4136
|
+
{
|
|
4137
|
+
"id": "EU-Sanctions-Reg-2014-833-Cyber",
|
|
4138
|
+
"framework": "EU",
|
|
4139
|
+
"control_name": "EU Council Regulation 2014/833 — Cyber Sanctions screening on ransomware payment posture"
|
|
4140
|
+
},
|
|
3875
4141
|
{
|
|
3876
4142
|
"id": "FCC-CPNI-4.1",
|
|
3877
4143
|
"framework": "FCC-CPNI",
|
|
@@ -3882,6 +4148,11 @@
|
|
|
3882
4148
|
"framework": "FCC",
|
|
3883
4149
|
"control_name": "FCC Cyber Incident Notification (4 business days)"
|
|
3884
4150
|
},
|
|
4151
|
+
{
|
|
4152
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
4153
|
+
"framework": "FedRAMP (US)",
|
|
4154
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
4155
|
+
},
|
|
3885
4156
|
{
|
|
3886
4157
|
"id": "FedRAMP-Rev5-Moderate",
|
|
3887
4158
|
"framework": "FedRAMP Rev 5 Moderate",
|
|
@@ -3907,6 +4178,11 @@
|
|
|
3907
4178
|
"framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
|
|
3908
4179
|
"control_name": "System security requirements and security levels"
|
|
3909
4180
|
},
|
|
4181
|
+
{
|
|
4182
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
4183
|
+
"framework": "ISO/IEC 27001:2022",
|
|
4184
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
4185
|
+
},
|
|
3910
4186
|
{
|
|
3911
4187
|
"id": "ISO-27001-2022-A.8.28",
|
|
3912
4188
|
"framework": "ISO/IEC 27001:2022",
|
|
@@ -3917,11 +4193,26 @@
|
|
|
3917
4193
|
"framework": "ISO/IEC 27001:2022",
|
|
3918
4194
|
"control_name": "Outsourced development"
|
|
3919
4195
|
},
|
|
4196
|
+
{
|
|
4197
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
4198
|
+
"framework": "ISO/IEC 27017:2015",
|
|
4199
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
4200
|
+
},
|
|
3920
4201
|
{
|
|
3921
4202
|
"id": "ITU-T-X.805",
|
|
3922
4203
|
"framework": "ITU-T",
|
|
3923
4204
|
"control_name": "ITU-T X.805 — 8-dimension security architecture for end-to-end communications"
|
|
3924
4205
|
},
|
|
4206
|
+
{
|
|
4207
|
+
"id": "Immutable-Backup-Recovery",
|
|
4208
|
+
"framework": "ALL",
|
|
4209
|
+
"control_name": "Immutable backup as distinct sub-property of backup control (vs replication / write-protect / off-network)"
|
|
4210
|
+
},
|
|
4211
|
+
{
|
|
4212
|
+
"id": "Insurance-Carrier-24h-Notification",
|
|
4213
|
+
"framework": "ALL",
|
|
4214
|
+
"control_name": "Cyber insurance carrier 24h notification with pre-approval workflow"
|
|
4215
|
+
},
|
|
3925
4216
|
{
|
|
3926
4217
|
"id": "NERC-CIP-007-6-R4",
|
|
3927
4218
|
"framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
|
|
@@ -3932,6 +4223,11 @@
|
|
|
3932
4223
|
"framework": "NIS2",
|
|
3933
4224
|
"control_name": "NIS2 Annex I — telecommunications essential entities"
|
|
3934
4225
|
},
|
|
4226
|
+
{
|
|
4227
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
4228
|
+
"framework": "EU NIS2 Directive",
|
|
4229
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
4230
|
+
},
|
|
3935
4231
|
{
|
|
3936
4232
|
"id": "NIS2-Art21-patch-management",
|
|
3937
4233
|
"framework": "EU NIS2 Directive",
|
|
@@ -3947,11 +4243,21 @@
|
|
|
3947
4243
|
"framework": "NIST SP 800-53 Rev 5",
|
|
3948
4244
|
"control_name": "Account Management"
|
|
3949
4245
|
},
|
|
4246
|
+
{
|
|
4247
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
4248
|
+
"framework": "NIST 800-53 Rev 5",
|
|
4249
|
+
"control_name": "Account Management"
|
|
4250
|
+
},
|
|
3950
4251
|
{
|
|
3951
4252
|
"id": "NIST-800-53-CM-7",
|
|
3952
4253
|
"framework": "NIST SP 800-53 Rev 5",
|
|
3953
4254
|
"control_name": "Least Functionality"
|
|
3954
4255
|
},
|
|
4256
|
+
{
|
|
4257
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
4258
|
+
"framework": "NIST 800-53 Rev.5",
|
|
4259
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
4260
|
+
},
|
|
3955
4261
|
{
|
|
3956
4262
|
"id": "NIST-800-63B-rev4",
|
|
3957
4263
|
"framework": "NIST SP 800-63B Rev 4 (Digital Identity Guidelines — Authentication & Lifecycle Mgmt)",
|
|
@@ -3962,6 +4268,16 @@
|
|
|
3962
4268
|
"framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
|
|
3963
4269
|
"control_name": "Guide to Operational Technology (OT) Security"
|
|
3964
4270
|
},
|
|
4271
|
+
{
|
|
4272
|
+
"id": "OFAC-SDN-Payment-Block",
|
|
4273
|
+
"framework": "ALL",
|
|
4274
|
+
"control_name": "OFAC SDN sanctions screening as blocking gate on ransomware payment posture"
|
|
4275
|
+
},
|
|
4276
|
+
{
|
|
4277
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
4278
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
4279
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
4280
|
+
},
|
|
3965
4281
|
{
|
|
3966
4282
|
"id": "OWASP-ASVS-v5.0-V14",
|
|
3967
4283
|
"framework": "OWASP ASVS v5.0",
|
|
@@ -3972,11 +4288,26 @@
|
|
|
3972
4288
|
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
3973
4289
|
"control_name": "Prompt Injection"
|
|
3974
4290
|
},
|
|
4291
|
+
{
|
|
4292
|
+
"id": "PHI-Exfil-Before-Encrypt-Breach-Class",
|
|
4293
|
+
"framework": "ALL",
|
|
4294
|
+
"control_name": "PHI / personal-data exfiltration before encryption as distinct breach class from the encryption event"
|
|
4295
|
+
},
|
|
3975
4296
|
{
|
|
3976
4297
|
"id": "PSD2-RTS-SCA",
|
|
3977
4298
|
"framework": "EU PSD2 Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389)",
|
|
3978
4299
|
"control_name": "Strong Customer Authentication and Common and Secure Communication"
|
|
3979
4300
|
},
|
|
4301
|
+
{
|
|
4302
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
4303
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
4304
|
+
"control_name": "Logical Access Controls"
|
|
4305
|
+
},
|
|
4306
|
+
{
|
|
4307
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
4308
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
4309
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
4310
|
+
},
|
|
3980
4311
|
{
|
|
3981
4312
|
"id": "SOC2-CC6-logical-access",
|
|
3982
4313
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
@@ -3992,6 +4323,16 @@
|
|
|
3992
4323
|
"framework": "SWIFT Customer Security Controls Framework v2026",
|
|
3993
4324
|
"control_name": "SWIFT Environment Protection"
|
|
3994
4325
|
},
|
|
4326
|
+
{
|
|
4327
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
4328
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
4329
|
+
"control_name": "Identity and Access Control"
|
|
4330
|
+
},
|
|
4331
|
+
{
|
|
4332
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
4333
|
+
"framework": "UK NCSC CAF",
|
|
4334
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
4335
|
+
},
|
|
3995
4336
|
{
|
|
3996
4337
|
"id": "UK-CAF-B5",
|
|
3997
4338
|
"framework": "UK-CAF",
|
|
@@ -3999,11 +4340,31 @@
|
|
|
3999
4340
|
}
|
|
4000
4341
|
],
|
|
4001
4342
|
"d3fend": [
|
|
4343
|
+
{
|
|
4344
|
+
"id": "D3-CAA",
|
|
4345
|
+
"name": "Credential Access Auditing",
|
|
4346
|
+
"tactic": "Detect"
|
|
4347
|
+
},
|
|
4348
|
+
{
|
|
4349
|
+
"id": "D3-CBAN",
|
|
4350
|
+
"name": "Certificate-based Authentication",
|
|
4351
|
+
"tactic": "Harden"
|
|
4352
|
+
},
|
|
4353
|
+
{
|
|
4354
|
+
"id": "D3-CSPP",
|
|
4355
|
+
"name": "Client-server Payload Profiling",
|
|
4356
|
+
"tactic": "Detect"
|
|
4357
|
+
},
|
|
4002
4358
|
{
|
|
4003
4359
|
"id": "D3-IOPR",
|
|
4004
4360
|
"name": "Input/Output Profiling Resource",
|
|
4005
4361
|
"tactic": "Detect"
|
|
4006
4362
|
},
|
|
4363
|
+
{
|
|
4364
|
+
"id": "D3-MFA",
|
|
4365
|
+
"name": "Multi-factor Authentication",
|
|
4366
|
+
"tactic": "Harden"
|
|
4367
|
+
},
|
|
4007
4368
|
{
|
|
4008
4369
|
"id": "D3-NI",
|
|
4009
4370
|
"name": "Network Isolation",
|
|
@@ -4018,6 +4379,11 @@
|
|
|
4018
4379
|
"id": "D3-NTPM",
|
|
4019
4380
|
"name": "Network Traffic Policy Mapping",
|
|
4020
4381
|
"tactic": "Model"
|
|
4382
|
+
},
|
|
4383
|
+
{
|
|
4384
|
+
"id": "D3-RPA",
|
|
4385
|
+
"name": "Remote Process Analysis",
|
|
4386
|
+
"tactic": "Detect"
|
|
4021
4387
|
}
|
|
4022
4388
|
],
|
|
4023
4389
|
"rfc_refs": [
|
|
@@ -4031,6 +4397,11 @@
|
|
|
4031
4397
|
"title": "JSON Web Token (JWT)",
|
|
4032
4398
|
"status": "Proposed Standard"
|
|
4033
4399
|
},
|
|
4400
|
+
{
|
|
4401
|
+
"id": "RFC-7591",
|
|
4402
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
4403
|
+
"status": "Proposed Standard"
|
|
4404
|
+
},
|
|
4034
4405
|
{
|
|
4035
4406
|
"id": "RFC-8032",
|
|
4036
4407
|
"title": "Edwards-Curve Digital Signature Algorithm (EdDSA)",
|
|
@@ -4041,11 +4412,21 @@
|
|
|
4041
4412
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
4042
4413
|
"status": "Proposed Standard"
|
|
4043
4414
|
},
|
|
4415
|
+
{
|
|
4416
|
+
"id": "RFC-8693",
|
|
4417
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
4418
|
+
"status": "Proposed Standard"
|
|
4419
|
+
},
|
|
4044
4420
|
{
|
|
4045
4421
|
"id": "RFC-8725",
|
|
4046
4422
|
"title": "JSON Web Token Best Current Practices",
|
|
4047
4423
|
"status": "Best Current Practice"
|
|
4048
4424
|
},
|
|
4425
|
+
{
|
|
4426
|
+
"id": "RFC-9068",
|
|
4427
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
4428
|
+
"status": "Proposed Standard"
|
|
4429
|
+
},
|
|
4049
4430
|
{
|
|
4050
4431
|
"id": "RFC-9114",
|
|
4051
4432
|
"title": "HTTP/3",
|
|
@@ -4470,9 +4851,10 @@
|
|
|
4470
4851
|
"name": "Insufficient Verification of Data Authenticity",
|
|
4471
4852
|
"category": "Authenticity / Supply Chain",
|
|
4472
4853
|
"referencing_skills": [
|
|
4473
|
-
"mcp-agent-trust"
|
|
4854
|
+
"mcp-agent-trust",
|
|
4855
|
+
"idp-incident-response"
|
|
4474
4856
|
],
|
|
4475
|
-
"skill_count":
|
|
4857
|
+
"skill_count": 2,
|
|
4476
4858
|
"chain": {
|
|
4477
4859
|
"atlas": [
|
|
4478
4860
|
{
|
|
@@ -4493,8 +4875,13 @@
|
|
|
4493
4875
|
],
|
|
4494
4876
|
"attack_refs": [
|
|
4495
4877
|
"T1059",
|
|
4878
|
+
"T1078.004",
|
|
4879
|
+
"T1098.001",
|
|
4496
4880
|
"T1190",
|
|
4497
|
-
"T1195.001"
|
|
4881
|
+
"T1195.001",
|
|
4882
|
+
"T1199",
|
|
4883
|
+
"T1556.007",
|
|
4884
|
+
"T1606.002"
|
|
4498
4885
|
],
|
|
4499
4886
|
"framework_gaps": [
|
|
4500
4887
|
{
|
|
@@ -4502,26 +4889,61 @@
|
|
|
4502
4889
|
"framework": "ALL",
|
|
4503
4890
|
"control_name": "MCP/Agent Tool Trust Boundaries"
|
|
4504
4891
|
},
|
|
4892
|
+
{
|
|
4893
|
+
"id": "AU-ISM-1559-IdP",
|
|
4894
|
+
"framework": "AU ISM",
|
|
4895
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
4896
|
+
},
|
|
4897
|
+
{
|
|
4898
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
4899
|
+
"framework": "EU DORA",
|
|
4900
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
4901
|
+
},
|
|
4902
|
+
{
|
|
4903
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
4904
|
+
"framework": "ISO/IEC 27001:2022",
|
|
4905
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
4906
|
+
},
|
|
4505
4907
|
{
|
|
4506
4908
|
"id": "ISO-27001-2022-A.8.30",
|
|
4507
4909
|
"framework": "ISO/IEC 27001:2022",
|
|
4508
4910
|
"control_name": "Outsourced development"
|
|
4509
4911
|
},
|
|
4912
|
+
{
|
|
4913
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
4914
|
+
"framework": "EU NIS2 Directive",
|
|
4915
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
4916
|
+
},
|
|
4510
4917
|
{
|
|
4511
4918
|
"id": "NIST-800-53-CM-7",
|
|
4512
4919
|
"framework": "NIST SP 800-53 Rev 5",
|
|
4513
4920
|
"control_name": "Least Functionality"
|
|
4514
4921
|
},
|
|
4922
|
+
{
|
|
4923
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
4924
|
+
"framework": "NIST 800-53 Rev.5",
|
|
4925
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
4926
|
+
},
|
|
4515
4927
|
{
|
|
4516
4928
|
"id": "NIST-800-53-SA-12",
|
|
4517
4929
|
"framework": "NIST SP 800-53 Rev 5",
|
|
4518
4930
|
"control_name": "Supply Chain Protection"
|
|
4519
4931
|
},
|
|
4932
|
+
{
|
|
4933
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
4934
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
4935
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
4936
|
+
},
|
|
4520
4937
|
{
|
|
4521
4938
|
"id": "OWASP-LLM-Top-10-2025-LLM06",
|
|
4522
4939
|
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
4523
4940
|
"control_name": "Excessive Agency"
|
|
4524
4941
|
},
|
|
4942
|
+
{
|
|
4943
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
4944
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
4945
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
4946
|
+
},
|
|
4525
4947
|
{
|
|
4526
4948
|
"id": "SOC2-CC9-vendor-management",
|
|
4527
4949
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
@@ -4531,6 +4953,11 @@
|
|
|
4531
4953
|
"id": "SWIFT-CSCF-v2026-1.1",
|
|
4532
4954
|
"framework": "SWIFT Customer Security Controls Framework v2026",
|
|
4533
4955
|
"control_name": "SWIFT Environment Protection"
|
|
4956
|
+
},
|
|
4957
|
+
{
|
|
4958
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
4959
|
+
"framework": "UK NCSC CAF",
|
|
4960
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
4534
4961
|
}
|
|
4535
4962
|
],
|
|
4536
4963
|
"d3fend": [
|
|
@@ -4554,10 +4981,20 @@
|
|
|
4554
4981
|
"name": "Executable Hashbased Allowlist",
|
|
4555
4982
|
"tactic": "Harden"
|
|
4556
4983
|
},
|
|
4984
|
+
{
|
|
4985
|
+
"id": "D3-IOPR",
|
|
4986
|
+
"name": "Input/Output Profiling Resource",
|
|
4987
|
+
"tactic": "Detect"
|
|
4988
|
+
},
|
|
4557
4989
|
{
|
|
4558
4990
|
"id": "D3-MFA",
|
|
4559
4991
|
"name": "Multi-factor Authentication",
|
|
4560
4992
|
"tactic": "Harden"
|
|
4993
|
+
},
|
|
4994
|
+
{
|
|
4995
|
+
"id": "D3-NTA",
|
|
4996
|
+
"name": "Network Traffic Analysis",
|
|
4997
|
+
"tactic": "Detect"
|
|
4561
4998
|
}
|
|
4562
4999
|
],
|
|
4563
5000
|
"rfc_refs": [
|
|
@@ -4571,6 +5008,11 @@
|
|
|
4571
5008
|
"title": "JSON Web Token (JWT)",
|
|
4572
5009
|
"status": "Proposed Standard"
|
|
4573
5010
|
},
|
|
5011
|
+
{
|
|
5012
|
+
"id": "RFC-7591",
|
|
5013
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
5014
|
+
"status": "Proposed Standard"
|
|
5015
|
+
},
|
|
4574
5016
|
{
|
|
4575
5017
|
"id": "RFC-8446",
|
|
4576
5018
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
@@ -5628,9 +6070,192 @@
|
|
|
5628
6070
|
"tactic": "Harden"
|
|
5629
6071
|
},
|
|
5630
6072
|
{
|
|
5631
|
-
"id": "D3-EHB",
|
|
5632
|
-
"name": "Executable Hashbased Allowlist",
|
|
6073
|
+
"id": "D3-EHB",
|
|
6074
|
+
"name": "Executable Hashbased Allowlist",
|
|
6075
|
+
"tactic": "Harden"
|
|
6076
|
+
}
|
|
6077
|
+
],
|
|
6078
|
+
"rfc_refs": [
|
|
6079
|
+
{
|
|
6080
|
+
"id": "RFC-7519",
|
|
6081
|
+
"title": "JSON Web Token (JWT)",
|
|
6082
|
+
"status": "Proposed Standard"
|
|
6083
|
+
},
|
|
6084
|
+
{
|
|
6085
|
+
"id": "RFC-8032",
|
|
6086
|
+
"title": "Edwards-Curve Digital Signature Algorithm (EdDSA)",
|
|
6087
|
+
"status": "Informational"
|
|
6088
|
+
},
|
|
6089
|
+
{
|
|
6090
|
+
"id": "RFC-8446",
|
|
6091
|
+
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
6092
|
+
"status": "Proposed Standard"
|
|
6093
|
+
},
|
|
6094
|
+
{
|
|
6095
|
+
"id": "RFC-8725",
|
|
6096
|
+
"title": "JSON Web Token Best Current Practices",
|
|
6097
|
+
"status": "Best Current Practice"
|
|
6098
|
+
},
|
|
6099
|
+
{
|
|
6100
|
+
"id": "RFC-9114",
|
|
6101
|
+
"title": "HTTP/3",
|
|
6102
|
+
"status": "Proposed Standard"
|
|
6103
|
+
}
|
|
6104
|
+
]
|
|
6105
|
+
},
|
|
6106
|
+
"related_cves": [
|
|
6107
|
+
"CVE-2025-53773",
|
|
6108
|
+
"CVE-2026-30615"
|
|
6109
|
+
]
|
|
6110
|
+
},
|
|
6111
|
+
"CWE-506": {
|
|
6112
|
+
"name": "Embedded Malicious Code",
|
|
6113
|
+
"category": "Supply Chain",
|
|
6114
|
+
"referencing_skills": [],
|
|
6115
|
+
"skill_count": 0,
|
|
6116
|
+
"chain": {
|
|
6117
|
+
"atlas": [],
|
|
6118
|
+
"attack_refs": [],
|
|
6119
|
+
"framework_gaps": [],
|
|
6120
|
+
"d3fend": [],
|
|
6121
|
+
"rfc_refs": []
|
|
6122
|
+
},
|
|
6123
|
+
"related_cves": []
|
|
6124
|
+
},
|
|
6125
|
+
"CWE-522": {
|
|
6126
|
+
"name": "Insufficiently Protected Credentials",
|
|
6127
|
+
"category": "Credentials Management",
|
|
6128
|
+
"referencing_skills": [
|
|
6129
|
+
"cloud-iam-incident",
|
|
6130
|
+
"idp-incident-response"
|
|
6131
|
+
],
|
|
6132
|
+
"skill_count": 2,
|
|
6133
|
+
"chain": {
|
|
6134
|
+
"atlas": [
|
|
6135
|
+
{
|
|
6136
|
+
"id": "AML.T0051",
|
|
6137
|
+
"name": "LLM Prompt Injection",
|
|
6138
|
+
"tactic": "Execution"
|
|
6139
|
+
}
|
|
6140
|
+
],
|
|
6141
|
+
"attack_refs": [
|
|
6142
|
+
"T1078",
|
|
6143
|
+
"T1078.004",
|
|
6144
|
+
"T1098.001",
|
|
6145
|
+
"T1199",
|
|
6146
|
+
"T1538",
|
|
6147
|
+
"T1552.005",
|
|
6148
|
+
"T1556.007",
|
|
6149
|
+
"T1580",
|
|
6150
|
+
"T1606.002"
|
|
6151
|
+
],
|
|
6152
|
+
"framework_gaps": [
|
|
6153
|
+
{
|
|
6154
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
6155
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
6156
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
6157
|
+
},
|
|
6158
|
+
{
|
|
6159
|
+
"id": "AU-ISM-1559-IdP",
|
|
6160
|
+
"framework": "AU ISM",
|
|
6161
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
6162
|
+
},
|
|
6163
|
+
{
|
|
6164
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
6165
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
6166
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
6167
|
+
},
|
|
6168
|
+
{
|
|
6169
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
6170
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
6171
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
6172
|
+
},
|
|
6173
|
+
{
|
|
6174
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
6175
|
+
"framework": "EU DORA",
|
|
6176
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
6177
|
+
},
|
|
6178
|
+
{
|
|
6179
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
6180
|
+
"framework": "FedRAMP (US)",
|
|
6181
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
6182
|
+
},
|
|
6183
|
+
{
|
|
6184
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
6185
|
+
"framework": "ISO/IEC 27001:2022",
|
|
6186
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
6187
|
+
},
|
|
6188
|
+
{
|
|
6189
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
6190
|
+
"framework": "ISO/IEC 27017:2015",
|
|
6191
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
6192
|
+
},
|
|
6193
|
+
{
|
|
6194
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
6195
|
+
"framework": "EU NIS2 Directive",
|
|
6196
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
6197
|
+
},
|
|
6198
|
+
{
|
|
6199
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
6200
|
+
"framework": "NIST 800-53 Rev 5",
|
|
6201
|
+
"control_name": "Account Management"
|
|
6202
|
+
},
|
|
6203
|
+
{
|
|
6204
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
6205
|
+
"framework": "NIST 800-53 Rev.5",
|
|
6206
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
6207
|
+
},
|
|
6208
|
+
{
|
|
6209
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
6210
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
6211
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
6212
|
+
},
|
|
6213
|
+
{
|
|
6214
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
6215
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
6216
|
+
"control_name": "Logical Access Controls"
|
|
6217
|
+
},
|
|
6218
|
+
{
|
|
6219
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
6220
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
6221
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
6222
|
+
},
|
|
6223
|
+
{
|
|
6224
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
6225
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
6226
|
+
"control_name": "Identity and Access Control"
|
|
6227
|
+
},
|
|
6228
|
+
{
|
|
6229
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
6230
|
+
"framework": "UK NCSC CAF",
|
|
6231
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
6232
|
+
}
|
|
6233
|
+
],
|
|
6234
|
+
"d3fend": [
|
|
6235
|
+
{
|
|
6236
|
+
"id": "D3-CAA",
|
|
6237
|
+
"name": "Credential Access Auditing",
|
|
6238
|
+
"tactic": "Detect"
|
|
6239
|
+
},
|
|
6240
|
+
{
|
|
6241
|
+
"id": "D3-CBAN",
|
|
6242
|
+
"name": "Certificate-based Authentication",
|
|
6243
|
+
"tactic": "Harden"
|
|
6244
|
+
},
|
|
6245
|
+
{
|
|
6246
|
+
"id": "D3-IOPR",
|
|
6247
|
+
"name": "Input/Output Profiling Resource",
|
|
6248
|
+
"tactic": "Detect"
|
|
6249
|
+
},
|
|
6250
|
+
{
|
|
6251
|
+
"id": "D3-MFA",
|
|
6252
|
+
"name": "Multi-factor Authentication",
|
|
5633
6253
|
"tactic": "Harden"
|
|
6254
|
+
},
|
|
6255
|
+
{
|
|
6256
|
+
"id": "D3-NTA",
|
|
6257
|
+
"name": "Network Traffic Analysis",
|
|
6258
|
+
"tactic": "Detect"
|
|
5634
6259
|
}
|
|
5635
6260
|
],
|
|
5636
6261
|
"rfc_refs": [
|
|
@@ -5640,13 +6265,13 @@
|
|
|
5640
6265
|
"status": "Proposed Standard"
|
|
5641
6266
|
},
|
|
5642
6267
|
{
|
|
5643
|
-
"id": "RFC-
|
|
5644
|
-
"title": "
|
|
5645
|
-
"status": "
|
|
6268
|
+
"id": "RFC-7591",
|
|
6269
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
6270
|
+
"status": "Proposed Standard"
|
|
5646
6271
|
},
|
|
5647
6272
|
{
|
|
5648
|
-
"id": "RFC-
|
|
5649
|
-
"title": "
|
|
6273
|
+
"id": "RFC-8693",
|
|
6274
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
5650
6275
|
"status": "Proposed Standard"
|
|
5651
6276
|
},
|
|
5652
6277
|
{
|
|
@@ -5655,43 +6280,17 @@
|
|
|
5655
6280
|
"status": "Best Current Practice"
|
|
5656
6281
|
},
|
|
5657
6282
|
{
|
|
5658
|
-
"id": "RFC-
|
|
5659
|
-
"title": "
|
|
6283
|
+
"id": "RFC-9068",
|
|
6284
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
6285
|
+
"status": "Proposed Standard"
|
|
6286
|
+
},
|
|
6287
|
+
{
|
|
6288
|
+
"id": "RFC-9421",
|
|
6289
|
+
"title": "HTTP Message Signatures",
|
|
5660
6290
|
"status": "Proposed Standard"
|
|
5661
6291
|
}
|
|
5662
6292
|
]
|
|
5663
6293
|
},
|
|
5664
|
-
"related_cves": [
|
|
5665
|
-
"CVE-2025-53773",
|
|
5666
|
-
"CVE-2026-30615"
|
|
5667
|
-
]
|
|
5668
|
-
},
|
|
5669
|
-
"CWE-506": {
|
|
5670
|
-
"name": "Embedded Malicious Code",
|
|
5671
|
-
"category": "Supply Chain",
|
|
5672
|
-
"referencing_skills": [],
|
|
5673
|
-
"skill_count": 0,
|
|
5674
|
-
"chain": {
|
|
5675
|
-
"atlas": [],
|
|
5676
|
-
"attack_refs": [],
|
|
5677
|
-
"framework_gaps": [],
|
|
5678
|
-
"d3fend": [],
|
|
5679
|
-
"rfc_refs": []
|
|
5680
|
-
},
|
|
5681
|
-
"related_cves": []
|
|
5682
|
-
},
|
|
5683
|
-
"CWE-522": {
|
|
5684
|
-
"name": "Insufficiently Protected Credentials",
|
|
5685
|
-
"category": "Credentials Management",
|
|
5686
|
-
"referencing_skills": [],
|
|
5687
|
-
"skill_count": 0,
|
|
5688
|
-
"chain": {
|
|
5689
|
-
"atlas": [],
|
|
5690
|
-
"attack_refs": [],
|
|
5691
|
-
"framework_gaps": [],
|
|
5692
|
-
"d3fend": [],
|
|
5693
|
-
"rfc_refs": []
|
|
5694
|
-
},
|
|
5695
6294
|
"related_cves": []
|
|
5696
6295
|
},
|
|
5697
6296
|
"CWE-669": {
|
|
@@ -5807,9 +6406,10 @@
|
|
|
5807
6406
|
"identity-assurance",
|
|
5808
6407
|
"webapp-security",
|
|
5809
6408
|
"cloud-security",
|
|
5810
|
-
"container-runtime-security"
|
|
6409
|
+
"container-runtime-security",
|
|
6410
|
+
"cloud-iam-incident"
|
|
5811
6411
|
],
|
|
5812
|
-
"skill_count":
|
|
6412
|
+
"skill_count": 6,
|
|
5813
6413
|
"chain": {
|
|
5814
6414
|
"atlas": [
|
|
5815
6415
|
{
|
|
@@ -5837,17 +6437,42 @@
|
|
|
5837
6437
|
"T1059",
|
|
5838
6438
|
"T1068",
|
|
5839
6439
|
"T1078",
|
|
6440
|
+
"T1078.004",
|
|
6441
|
+
"T1098.001",
|
|
5840
6442
|
"T1110",
|
|
5841
6443
|
"T1133",
|
|
5842
6444
|
"T1190",
|
|
5843
6445
|
"T1505",
|
|
5844
6446
|
"T1530",
|
|
6447
|
+
"T1538",
|
|
5845
6448
|
"T1552",
|
|
6449
|
+
"T1552.005",
|
|
5846
6450
|
"T1556",
|
|
6451
|
+
"T1580",
|
|
5847
6452
|
"T1610",
|
|
5848
6453
|
"T1611"
|
|
5849
6454
|
],
|
|
5850
6455
|
"framework_gaps": [
|
|
6456
|
+
{
|
|
6457
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
6458
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
6459
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
6460
|
+
},
|
|
6461
|
+
{
|
|
6462
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
6463
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
6464
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
6465
|
+
},
|
|
6466
|
+
{
|
|
6467
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
6468
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
6469
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
6470
|
+
},
|
|
6471
|
+
{
|
|
6472
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
6473
|
+
"framework": "FedRAMP (US)",
|
|
6474
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
6475
|
+
},
|
|
5851
6476
|
{
|
|
5852
6477
|
"id": "FedRAMP-Rev5-Moderate",
|
|
5853
6478
|
"framework": "FedRAMP Rev 5 Moderate",
|
|
@@ -5863,6 +6488,11 @@
|
|
|
5863
6488
|
"framework": "ISO/IEC 27001:2022",
|
|
5864
6489
|
"control_name": "Outsourced development"
|
|
5865
6490
|
},
|
|
6491
|
+
{
|
|
6492
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
6493
|
+
"framework": "ISO/IEC 27017:2015",
|
|
6494
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
6495
|
+
},
|
|
5866
6496
|
{
|
|
5867
6497
|
"id": "NIS2-Art21-patch-management",
|
|
5868
6498
|
"framework": "EU NIS2 Directive",
|
|
@@ -5883,6 +6513,11 @@
|
|
|
5883
6513
|
"framework": "NIST SP 800-53 Rev 5",
|
|
5884
6514
|
"control_name": "Account Management"
|
|
5885
6515
|
},
|
|
6516
|
+
{
|
|
6517
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
6518
|
+
"framework": "NIST 800-53 Rev 5",
|
|
6519
|
+
"control_name": "Account Management"
|
|
6520
|
+
},
|
|
5886
6521
|
{
|
|
5887
6522
|
"id": "NIST-800-53-CM-7",
|
|
5888
6523
|
"framework": "NIST SP 800-53 Rev 5",
|
|
@@ -5923,6 +6558,11 @@
|
|
|
5923
6558
|
"framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
|
|
5924
6559
|
"control_name": "Hardened build platform with non-falsifiable provenance"
|
|
5925
6560
|
},
|
|
6561
|
+
{
|
|
6562
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
6563
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
6564
|
+
"control_name": "Logical Access Controls"
|
|
6565
|
+
},
|
|
5926
6566
|
{
|
|
5927
6567
|
"id": "SOC2-CC6-logical-access",
|
|
5928
6568
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
@@ -5932,9 +6572,24 @@
|
|
|
5932
6572
|
"id": "SOC2-CC9-vendor-management",
|
|
5933
6573
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
5934
6574
|
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
6575
|
+
},
|
|
6576
|
+
{
|
|
6577
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
6578
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
6579
|
+
"control_name": "Identity and Access Control"
|
|
5935
6580
|
}
|
|
5936
6581
|
],
|
|
5937
6582
|
"d3fend": [
|
|
6583
|
+
{
|
|
6584
|
+
"id": "D3-CAA",
|
|
6585
|
+
"name": "Credential Access Auditing",
|
|
6586
|
+
"tactic": "Detect"
|
|
6587
|
+
},
|
|
6588
|
+
{
|
|
6589
|
+
"id": "D3-CBAN",
|
|
6590
|
+
"name": "Certificate-based Authentication",
|
|
6591
|
+
"tactic": "Harden"
|
|
6592
|
+
},
|
|
5938
6593
|
{
|
|
5939
6594
|
"id": "D3-CSPP",
|
|
5940
6595
|
"name": "Client-server Payload Profiling",
|
|
@@ -5945,6 +6600,16 @@
|
|
|
5945
6600
|
"name": "Executable Allowlisting",
|
|
5946
6601
|
"tactic": "Harden"
|
|
5947
6602
|
},
|
|
6603
|
+
{
|
|
6604
|
+
"id": "D3-IOPR",
|
|
6605
|
+
"name": "Input/Output Profiling Resource",
|
|
6606
|
+
"tactic": "Detect"
|
|
6607
|
+
},
|
|
6608
|
+
{
|
|
6609
|
+
"id": "D3-MFA",
|
|
6610
|
+
"name": "Multi-factor Authentication",
|
|
6611
|
+
"tactic": "Harden"
|
|
6612
|
+
},
|
|
5948
6613
|
{
|
|
5949
6614
|
"id": "D3-NTA",
|
|
5950
6615
|
"name": "Network Traffic Analysis",
|
|
@@ -5972,11 +6637,21 @@
|
|
|
5972
6637
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
5973
6638
|
"status": "Proposed Standard"
|
|
5974
6639
|
},
|
|
6640
|
+
{
|
|
6641
|
+
"id": "RFC-8693",
|
|
6642
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
6643
|
+
"status": "Proposed Standard"
|
|
6644
|
+
},
|
|
5975
6645
|
{
|
|
5976
6646
|
"id": "RFC-8725",
|
|
5977
6647
|
"title": "JSON Web Token Best Current Practices",
|
|
5978
6648
|
"status": "Best Current Practice"
|
|
5979
6649
|
},
|
|
6650
|
+
{
|
|
6651
|
+
"id": "RFC-9068",
|
|
6652
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
6653
|
+
"status": "Proposed Standard"
|
|
6654
|
+
},
|
|
5980
6655
|
{
|
|
5981
6656
|
"id": "RFC-9114",
|
|
5982
6657
|
"title": "HTTP/3",
|
|
@@ -6219,9 +6894,11 @@
|
|
|
6219
6894
|
"ot-ics-security",
|
|
6220
6895
|
"sector-financial",
|
|
6221
6896
|
"sector-energy",
|
|
6222
|
-
"cloud-security"
|
|
6897
|
+
"cloud-security",
|
|
6898
|
+
"ransomware-response",
|
|
6899
|
+
"cloud-iam-incident"
|
|
6223
6900
|
],
|
|
6224
|
-
"skill_count":
|
|
6901
|
+
"skill_count": 7,
|
|
6225
6902
|
"chain": {
|
|
6226
6903
|
"atlas": [
|
|
6227
6904
|
{
|
|
@@ -6248,17 +6925,53 @@
|
|
|
6248
6925
|
"attack_refs": [
|
|
6249
6926
|
"T0855",
|
|
6250
6927
|
"T0883",
|
|
6928
|
+
"T1059",
|
|
6251
6929
|
"T1068",
|
|
6252
6930
|
"T1078",
|
|
6931
|
+
"T1078.004",
|
|
6932
|
+
"T1098.001",
|
|
6253
6933
|
"T1110",
|
|
6254
6934
|
"T1190",
|
|
6255
6935
|
"T1486",
|
|
6256
6936
|
"T1530",
|
|
6937
|
+
"T1538",
|
|
6257
6938
|
"T1552",
|
|
6939
|
+
"T1552.005",
|
|
6258
6940
|
"T1556",
|
|
6259
|
-
"T1567"
|
|
6941
|
+
"T1567",
|
|
6942
|
+
"T1580"
|
|
6260
6943
|
],
|
|
6261
6944
|
"framework_gaps": [
|
|
6945
|
+
{
|
|
6946
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
6947
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
6948
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
6949
|
+
},
|
|
6950
|
+
{
|
|
6951
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
6952
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
6953
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
6954
|
+
},
|
|
6955
|
+
{
|
|
6956
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
6957
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
6958
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
6959
|
+
},
|
|
6960
|
+
{
|
|
6961
|
+
"id": "Decryptor-Availability-Pre-Decision",
|
|
6962
|
+
"framework": "ALL",
|
|
6963
|
+
"control_name": "Decryptor availability lookup as precondition to ransomware pay/restore decision"
|
|
6964
|
+
},
|
|
6965
|
+
{
|
|
6966
|
+
"id": "EU-Sanctions-Reg-2014-833-Cyber",
|
|
6967
|
+
"framework": "EU",
|
|
6968
|
+
"control_name": "EU Council Regulation 2014/833 — Cyber Sanctions screening on ransomware payment posture"
|
|
6969
|
+
},
|
|
6970
|
+
{
|
|
6971
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
6972
|
+
"framework": "FedRAMP (US)",
|
|
6973
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
6974
|
+
},
|
|
6262
6975
|
{
|
|
6263
6976
|
"id": "FedRAMP-Rev5-Moderate",
|
|
6264
6977
|
"framework": "FedRAMP Rev 5 Moderate",
|
|
@@ -6274,6 +6987,21 @@
|
|
|
6274
6987
|
"framework": "ISO/IEC 27001:2022",
|
|
6275
6988
|
"control_name": "Outsourced development"
|
|
6276
6989
|
},
|
|
6990
|
+
{
|
|
6991
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
6992
|
+
"framework": "ISO/IEC 27017:2015",
|
|
6993
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
6994
|
+
},
|
|
6995
|
+
{
|
|
6996
|
+
"id": "Immutable-Backup-Recovery",
|
|
6997
|
+
"framework": "ALL",
|
|
6998
|
+
"control_name": "Immutable backup as distinct sub-property of backup control (vs replication / write-protect / off-network)"
|
|
6999
|
+
},
|
|
7000
|
+
{
|
|
7001
|
+
"id": "Insurance-Carrier-24h-Notification",
|
|
7002
|
+
"framework": "ALL",
|
|
7003
|
+
"control_name": "Cyber insurance carrier 24h notification with pre-approval workflow"
|
|
7004
|
+
},
|
|
6277
7005
|
{
|
|
6278
7006
|
"id": "NERC-CIP-007-6-R4",
|
|
6279
7007
|
"framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
|
|
@@ -6289,6 +7017,11 @@
|
|
|
6289
7017
|
"framework": "NIST SP 800-53 Rev 5",
|
|
6290
7018
|
"control_name": "Account Management"
|
|
6291
7019
|
},
|
|
7020
|
+
{
|
|
7021
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
7022
|
+
"framework": "NIST 800-53 Rev 5",
|
|
7023
|
+
"control_name": "Account Management"
|
|
7024
|
+
},
|
|
6292
7025
|
{
|
|
6293
7026
|
"id": "NIST-800-53-CM-7",
|
|
6294
7027
|
"framework": "NIST SP 800-53 Rev 5",
|
|
@@ -6304,11 +7037,26 @@
|
|
|
6304
7037
|
"framework": "NIST SP 800-82 Rev 3 (Guide to OT Security)",
|
|
6305
7038
|
"control_name": "Guide to Operational Technology (OT) Security"
|
|
6306
7039
|
},
|
|
7040
|
+
{
|
|
7041
|
+
"id": "OFAC-SDN-Payment-Block",
|
|
7042
|
+
"framework": "ALL",
|
|
7043
|
+
"control_name": "OFAC SDN sanctions screening as blocking gate on ransomware payment posture"
|
|
7044
|
+
},
|
|
7045
|
+
{
|
|
7046
|
+
"id": "PHI-Exfil-Before-Encrypt-Breach-Class",
|
|
7047
|
+
"framework": "ALL",
|
|
7048
|
+
"control_name": "PHI / personal-data exfiltration before encryption as distinct breach class from the encryption event"
|
|
7049
|
+
},
|
|
6307
7050
|
{
|
|
6308
7051
|
"id": "PSD2-RTS-SCA",
|
|
6309
7052
|
"framework": "EU PSD2 Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389)",
|
|
6310
7053
|
"control_name": "Strong Customer Authentication and Common and Secure Communication"
|
|
6311
7054
|
},
|
|
7055
|
+
{
|
|
7056
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
7057
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
7058
|
+
"control_name": "Logical Access Controls"
|
|
7059
|
+
},
|
|
6312
7060
|
{
|
|
6313
7061
|
"id": "SOC2-CC6-logical-access",
|
|
6314
7062
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
@@ -6323,9 +7071,50 @@
|
|
|
6323
7071
|
"id": "SWIFT-CSCF-v2026-1.1",
|
|
6324
7072
|
"framework": "SWIFT Customer Security Controls Framework v2026",
|
|
6325
7073
|
"control_name": "SWIFT Environment Protection"
|
|
7074
|
+
},
|
|
7075
|
+
{
|
|
7076
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
7077
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
7078
|
+
"control_name": "Identity and Access Control"
|
|
7079
|
+
}
|
|
7080
|
+
],
|
|
7081
|
+
"d3fend": [
|
|
7082
|
+
{
|
|
7083
|
+
"id": "D3-CAA",
|
|
7084
|
+
"name": "Credential Access Auditing",
|
|
7085
|
+
"tactic": "Detect"
|
|
7086
|
+
},
|
|
7087
|
+
{
|
|
7088
|
+
"id": "D3-CBAN",
|
|
7089
|
+
"name": "Certificate-based Authentication",
|
|
7090
|
+
"tactic": "Harden"
|
|
7091
|
+
},
|
|
7092
|
+
{
|
|
7093
|
+
"id": "D3-CSPP",
|
|
7094
|
+
"name": "Client-server Payload Profiling",
|
|
7095
|
+
"tactic": "Detect"
|
|
7096
|
+
},
|
|
7097
|
+
{
|
|
7098
|
+
"id": "D3-IOPR",
|
|
7099
|
+
"name": "Input/Output Profiling Resource",
|
|
7100
|
+
"tactic": "Detect"
|
|
7101
|
+
},
|
|
7102
|
+
{
|
|
7103
|
+
"id": "D3-MFA",
|
|
7104
|
+
"name": "Multi-factor Authentication",
|
|
7105
|
+
"tactic": "Harden"
|
|
7106
|
+
},
|
|
7107
|
+
{
|
|
7108
|
+
"id": "D3-NTA",
|
|
7109
|
+
"name": "Network Traffic Analysis",
|
|
7110
|
+
"tactic": "Detect"
|
|
7111
|
+
},
|
|
7112
|
+
{
|
|
7113
|
+
"id": "D3-RPA",
|
|
7114
|
+
"name": "Remote Process Analysis",
|
|
7115
|
+
"tactic": "Detect"
|
|
6326
7116
|
}
|
|
6327
7117
|
],
|
|
6328
|
-
"d3fend": [],
|
|
6329
7118
|
"rfc_refs": [
|
|
6330
7119
|
{
|
|
6331
7120
|
"id": "RFC-6749",
|
|
@@ -6347,11 +7136,21 @@
|
|
|
6347
7136
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
6348
7137
|
"status": "Proposed Standard"
|
|
6349
7138
|
},
|
|
7139
|
+
{
|
|
7140
|
+
"id": "RFC-8693",
|
|
7141
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
7142
|
+
"status": "Proposed Standard"
|
|
7143
|
+
},
|
|
6350
7144
|
{
|
|
6351
7145
|
"id": "RFC-8725",
|
|
6352
7146
|
"title": "JSON Web Token Best Current Practices",
|
|
6353
7147
|
"status": "Best Current Practice"
|
|
6354
7148
|
},
|
|
7149
|
+
{
|
|
7150
|
+
"id": "RFC-9068",
|
|
7151
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
7152
|
+
"status": "Proposed Standard"
|
|
7153
|
+
},
|
|
6355
7154
|
{
|
|
6356
7155
|
"id": "RFC-9180",
|
|
6357
7156
|
"title": "Hybrid Public Key Encryption",
|
|
@@ -6675,9 +7474,11 @@
|
|
|
6675
7474
|
"identity-assurance",
|
|
6676
7475
|
"webapp-security",
|
|
6677
7476
|
"sector-financial",
|
|
6678
|
-
"api-security"
|
|
7477
|
+
"api-security",
|
|
7478
|
+
"cloud-iam-incident",
|
|
7479
|
+
"idp-incident-response"
|
|
6679
7480
|
],
|
|
6680
|
-
"skill_count":
|
|
7481
|
+
"skill_count": 6,
|
|
6681
7482
|
"chain": {
|
|
6682
7483
|
"atlas": [
|
|
6683
7484
|
{
|
|
@@ -6699,14 +7500,57 @@
|
|
|
6699
7500
|
"attack_refs": [
|
|
6700
7501
|
"T1059",
|
|
6701
7502
|
"T1078",
|
|
7503
|
+
"T1078.004",
|
|
7504
|
+
"T1098.001",
|
|
6702
7505
|
"T1110",
|
|
6703
7506
|
"T1190",
|
|
7507
|
+
"T1199",
|
|
6704
7508
|
"T1486",
|
|
6705
7509
|
"T1505",
|
|
7510
|
+
"T1538",
|
|
7511
|
+
"T1552.005",
|
|
6706
7512
|
"T1556",
|
|
6707
|
-
"
|
|
7513
|
+
"T1556.007",
|
|
7514
|
+
"T1567",
|
|
7515
|
+
"T1580",
|
|
7516
|
+
"T1606.002"
|
|
6708
7517
|
],
|
|
6709
7518
|
"framework_gaps": [
|
|
7519
|
+
{
|
|
7520
|
+
"id": "AU-ISM-1546-Cloud-Service-Account",
|
|
7521
|
+
"framework": "ACSC ISM (Australian Government Information Security Manual)",
|
|
7522
|
+
"control_name": "Multi-factor authentication for privileged users and remote access"
|
|
7523
|
+
},
|
|
7524
|
+
{
|
|
7525
|
+
"id": "AU-ISM-1559-IdP",
|
|
7526
|
+
"framework": "AU ISM",
|
|
7527
|
+
"control_name": "Privileged Account Credential Management — IdP-tenant control-plane extension"
|
|
7528
|
+
},
|
|
7529
|
+
{
|
|
7530
|
+
"id": "AWS-Security-Hub-Coverage-Gap",
|
|
7531
|
+
"framework": "AWS Security Hub Foundational Security Best Practices (also GCP SCC, Azure Defender for Cloud)",
|
|
7532
|
+
"control_name": "CSP-native posture-tool baseline (cross-provider gap class)"
|
|
7533
|
+
},
|
|
7534
|
+
{
|
|
7535
|
+
"id": "CISA-Snowflake-AA24-IdP-Cloud",
|
|
7536
|
+
"framework": "CISA (US) - Cross-framework advisory",
|
|
7537
|
+
"control_name": "CISA Snowflake breach advisory - IdP-to-cloud chained-compromise"
|
|
7538
|
+
},
|
|
7539
|
+
{
|
|
7540
|
+
"id": "DORA-Art-19-IdP-4h",
|
|
7541
|
+
"framework": "EU DORA",
|
|
7542
|
+
"control_name": "Major-ICT-related-incident notification — IdP-specific 4-hour clock"
|
|
7543
|
+
},
|
|
7544
|
+
{
|
|
7545
|
+
"id": "FedRAMP-IL5-IAM-Federated",
|
|
7546
|
+
"framework": "FedRAMP (US)",
|
|
7547
|
+
"control_name": "FedRAMP Impact-Level 5 baseline IAM controls"
|
|
7548
|
+
},
|
|
7549
|
+
{
|
|
7550
|
+
"id": "ISO-27001-2022-A.5.16-Federated",
|
|
7551
|
+
"framework": "ISO/IEC 27001:2022",
|
|
7552
|
+
"control_name": "Identity Management + Authentication Information — federated-state extension"
|
|
7553
|
+
},
|
|
6710
7554
|
{
|
|
6711
7555
|
"id": "ISO-27001-2022-A.8.28",
|
|
6712
7556
|
"framework": "ISO/IEC 27001:2022",
|
|
@@ -6717,6 +7561,16 @@
|
|
|
6717
7561
|
"framework": "ISO/IEC 27001:2022",
|
|
6718
7562
|
"control_name": "Outsourced development"
|
|
6719
7563
|
},
|
|
7564
|
+
{
|
|
7565
|
+
"id": "ISO-27017-Cloud-IAM",
|
|
7566
|
+
"framework": "ISO/IEC 27017:2015",
|
|
7567
|
+
"control_name": "ISO/IEC 27017 cloud-services security extension to ISO/IEC 27001"
|
|
7568
|
+
},
|
|
7569
|
+
{
|
|
7570
|
+
"id": "NIS2-Art-21-Federated-Identity",
|
|
7571
|
+
"framework": "EU NIS2 Directive",
|
|
7572
|
+
"control_name": "Cryptography + Access Control — federated-identity extension"
|
|
7573
|
+
},
|
|
6720
7574
|
{
|
|
6721
7575
|
"id": "NIST-800-218-SSDF",
|
|
6722
7576
|
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
@@ -6727,11 +7581,26 @@
|
|
|
6727
7581
|
"framework": "NIST SP 800-53 Rev 5",
|
|
6728
7582
|
"control_name": "Account Management"
|
|
6729
7583
|
},
|
|
7584
|
+
{
|
|
7585
|
+
"id": "NIST-800-53-AC-2-Cross-Account",
|
|
7586
|
+
"framework": "NIST 800-53 Rev 5",
|
|
7587
|
+
"control_name": "Account Management"
|
|
7588
|
+
},
|
|
7589
|
+
{
|
|
7590
|
+
"id": "NIST-800-53-IA-5-Federated",
|
|
7591
|
+
"framework": "NIST 800-53 Rev.5",
|
|
7592
|
+
"control_name": "Authenticator Management — federated-trust extension"
|
|
7593
|
+
},
|
|
6730
7594
|
{
|
|
6731
7595
|
"id": "NIST-800-63B-rev4",
|
|
6732
7596
|
"framework": "NIST SP 800-63B Rev 4 (Digital Identity Guidelines — Authentication & Lifecycle Mgmt)",
|
|
6733
7597
|
"control_name": "Authentication and Lifecycle Management (AAL/IAL/FAL)"
|
|
6734
7598
|
},
|
|
7599
|
+
{
|
|
7600
|
+
"id": "OFAC-Sanctions-Threat-Actor-Negotiation",
|
|
7601
|
+
"framework": "US Treasury OFAC + EU sanctions overlay + UK OFSI",
|
|
7602
|
+
"control_name": "Sanctions screening on ransomware-payment / threat-actor negotiation"
|
|
7603
|
+
},
|
|
6735
7604
|
{
|
|
6736
7605
|
"id": "OWASP-ASVS-v5.0-V14",
|
|
6737
7606
|
"framework": "OWASP ASVS v5.0",
|
|
@@ -6747,6 +7616,16 @@
|
|
|
6747
7616
|
"framework": "EU PSD2 Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389)",
|
|
6748
7617
|
"control_name": "Strong Customer Authentication and Common and Secure Communication"
|
|
6749
7618
|
},
|
|
7619
|
+
{
|
|
7620
|
+
"id": "SOC2-CC6-Access-Key-Leak-Public-Repo",
|
|
7621
|
+
"framework": "AICPA SOC 2 Trust Services Criteria",
|
|
7622
|
+
"control_name": "Logical Access Controls"
|
|
7623
|
+
},
|
|
7624
|
+
{
|
|
7625
|
+
"id": "SOC2-CC6-OAuth-Consent",
|
|
7626
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
7627
|
+
"control_name": "Logical and Physical Access Controls — OAuth consent extension"
|
|
7628
|
+
},
|
|
6750
7629
|
{
|
|
6751
7630
|
"id": "SOC2-CC6-logical-access",
|
|
6752
7631
|
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
@@ -6756,9 +7635,45 @@
|
|
|
6756
7635
|
"id": "SWIFT-CSCF-v2026-1.1",
|
|
6757
7636
|
"framework": "SWIFT Customer Security Controls Framework v2026",
|
|
6758
7637
|
"control_name": "SWIFT Environment Protection"
|
|
7638
|
+
},
|
|
7639
|
+
{
|
|
7640
|
+
"id": "UK-CAF-B2-Cloud-IAM",
|
|
7641
|
+
"framework": "UK NCSC CAF (Cyber Assessment Framework) v3.x",
|
|
7642
|
+
"control_name": "Identity and Access Control"
|
|
7643
|
+
},
|
|
7644
|
+
{
|
|
7645
|
+
"id": "UK-CAF-B2-IdP-Tenant",
|
|
7646
|
+
"framework": "UK NCSC CAF",
|
|
7647
|
+
"control_name": "Identity and Access Control — IdP-tenant control-plane extension"
|
|
7648
|
+
}
|
|
7649
|
+
],
|
|
7650
|
+
"d3fend": [
|
|
7651
|
+
{
|
|
7652
|
+
"id": "D3-CAA",
|
|
7653
|
+
"name": "Credential Access Auditing",
|
|
7654
|
+
"tactic": "Detect"
|
|
7655
|
+
},
|
|
7656
|
+
{
|
|
7657
|
+
"id": "D3-CBAN",
|
|
7658
|
+
"name": "Certificate-based Authentication",
|
|
7659
|
+
"tactic": "Harden"
|
|
7660
|
+
},
|
|
7661
|
+
{
|
|
7662
|
+
"id": "D3-IOPR",
|
|
7663
|
+
"name": "Input/Output Profiling Resource",
|
|
7664
|
+
"tactic": "Detect"
|
|
7665
|
+
},
|
|
7666
|
+
{
|
|
7667
|
+
"id": "D3-MFA",
|
|
7668
|
+
"name": "Multi-factor Authentication",
|
|
7669
|
+
"tactic": "Harden"
|
|
7670
|
+
},
|
|
7671
|
+
{
|
|
7672
|
+
"id": "D3-NTA",
|
|
7673
|
+
"name": "Network Traffic Analysis",
|
|
7674
|
+
"tactic": "Detect"
|
|
6759
7675
|
}
|
|
6760
7676
|
],
|
|
6761
|
-
"d3fend": [],
|
|
6762
7677
|
"rfc_refs": [
|
|
6763
7678
|
{
|
|
6764
7679
|
"id": "RFC-6749",
|
|
@@ -6770,6 +7685,11 @@
|
|
|
6770
7685
|
"title": "JSON Web Token (JWT)",
|
|
6771
7686
|
"status": "Proposed Standard"
|
|
6772
7687
|
},
|
|
7688
|
+
{
|
|
7689
|
+
"id": "RFC-7591",
|
|
7690
|
+
"title": "OAuth 2.0 Dynamic Client Registration Protocol",
|
|
7691
|
+
"status": "Proposed Standard"
|
|
7692
|
+
},
|
|
6773
7693
|
{
|
|
6774
7694
|
"id": "RFC-8032",
|
|
6775
7695
|
"title": "Edwards-Curve Digital Signature Algorithm (EdDSA)",
|
|
@@ -6780,11 +7700,21 @@
|
|
|
6780
7700
|
"title": "The Transport Layer Security (TLS) Protocol Version 1.3",
|
|
6781
7701
|
"status": "Proposed Standard"
|
|
6782
7702
|
},
|
|
7703
|
+
{
|
|
7704
|
+
"id": "RFC-8693",
|
|
7705
|
+
"title": "OAuth 2.0 Token Exchange",
|
|
7706
|
+
"status": "Proposed Standard"
|
|
7707
|
+
},
|
|
6783
7708
|
{
|
|
6784
7709
|
"id": "RFC-8725",
|
|
6785
7710
|
"title": "JSON Web Token Best Current Practices",
|
|
6786
7711
|
"status": "Best Current Practice"
|
|
6787
7712
|
},
|
|
7713
|
+
{
|
|
7714
|
+
"id": "RFC-9068",
|
|
7715
|
+
"title": "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens",
|
|
7716
|
+
"status": "Proposed Standard"
|
|
7717
|
+
},
|
|
6788
7718
|
{
|
|
6789
7719
|
"id": "RFC-9114",
|
|
6790
7720
|
"title": "HTTP/3",
|