framework-mcp 2.2.2 → 2.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/ci.yml +12 -1
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +48 -81
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +2 -2
- package/dist/interfaces/mcp/mcp-server.js +2 -2
- package/package.json +1 -1
- package/src/core/safeguard-manager.ts +48 -81
- package/src/interfaces/http/http-server.ts +2 -2
- package/src/interfaces/mcp/mcp-server.ts +2 -2
package/.github/workflows/ci.yml
CHANGED
|
@@ -73,7 +73,18 @@ jobs:
|
|
|
73
73
|
- name: Build
|
|
74
74
|
run: npm run build
|
|
75
75
|
|
|
76
|
+
- name: Check if version exists on npm
|
|
77
|
+
id: version-check
|
|
78
|
+
run: |
|
|
79
|
+
PACKAGE_VERSION=$(node -p "require('./package.json').version")
|
|
80
|
+
if npm view framework-mcp@$PACKAGE_VERSION version 2>/dev/null; then
|
|
81
|
+
echo "exists=true" >> $GITHUB_OUTPUT
|
|
82
|
+
else
|
|
83
|
+
echo "exists=false" >> $GITHUB_OUTPUT
|
|
84
|
+
fi
|
|
85
|
+
|
|
76
86
|
- name: Publish to npm
|
|
77
|
-
|
|
87
|
+
if: steps.version-check.outputs.exists == 'false'
|
|
88
|
+
run: npm publish
|
|
78
89
|
env:
|
|
79
90
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;
|
|
1
|
+
{"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAq+gB7B"}
|
|
@@ -519,23 +519,19 @@ export class SafeguardManager {
|
|
|
519
519
|
"2.1": {
|
|
520
520
|
id: "2.1",
|
|
521
521
|
title: "Establish and Maintain a Software Inventory",
|
|
522
|
-
description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
|
|
522
|
+
description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
|
|
523
523
|
implementationGroup: "IG1",
|
|
524
|
-
assetType: ["
|
|
524
|
+
assetType: ["Software"],
|
|
525
525
|
securityFunction: ["Identify"],
|
|
526
526
|
governanceElements: [
|
|
527
|
-
"Establish
|
|
528
|
-
"The software inventory must document the
|
|
529
|
-
"Review and update the software inventory bi-annually, or more frequently"
|
|
527
|
+
"Establish a Software Inventory",
|
|
528
|
+
"The software inventory must document the sub-taxonomical elements, where appropriate",
|
|
529
|
+
"Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
|
|
530
530
|
],
|
|
531
531
|
coreRequirements: [
|
|
532
|
-
"Detailed inventory of all licensed software"
|
|
533
|
-
"Installed on enterprise Assets"
|
|
532
|
+
"Detailed inventory of all licensed software"
|
|
534
533
|
],
|
|
535
534
|
subTaxonomicalElements: [
|
|
536
|
-
"Establish",
|
|
537
|
-
"Maintain",
|
|
538
|
-
"Must Document",
|
|
539
535
|
"Title",
|
|
540
536
|
"Publisher",
|
|
541
537
|
"Initial Install / Use Date",
|
|
@@ -544,10 +540,7 @@ export class SafeguardManager {
|
|
|
544
540
|
"App Store(s)",
|
|
545
541
|
"App Version(s)",
|
|
546
542
|
"Deployment mechanism",
|
|
547
|
-
"Decomm. Date"
|
|
548
|
-
"Where appropriate",
|
|
549
|
-
"bi-annually",
|
|
550
|
-
"More Frequently"
|
|
543
|
+
"Decomm. Date"
|
|
551
544
|
],
|
|
552
545
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
553
546
|
],
|
|
@@ -603,7 +596,7 @@ export class SafeguardManager {
|
|
|
603
596
|
title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
|
|
604
597
|
description: "Ensure that only currently supported software is designated as authorized in the software inventory",
|
|
605
598
|
implementationGroup: "IG1",
|
|
606
|
-
assetType: ["
|
|
599
|
+
assetType: ["Software"],
|
|
607
600
|
securityFunction: ["Identify"],
|
|
608
601
|
governanceElements: [
|
|
609
602
|
"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
|
|
@@ -613,15 +606,10 @@ export class SafeguardManager {
|
|
|
613
606
|
"Authorized in the software inventory"
|
|
614
607
|
],
|
|
615
608
|
subTaxonomicalElements: [
|
|
616
|
-
"Ensure",
|
|
617
609
|
"Determine if Authorized Software Is Currently Supported",
|
|
618
|
-
"If Unsupported",
|
|
619
610
|
"Determine Necessity for Business",
|
|
620
|
-
"Document Exception detailing mitigating controls",
|
|
621
|
-
"Document Residual risk acceptance"
|
|
622
|
-
"Review the software list",
|
|
623
|
-
"Monthly",
|
|
624
|
-
"More frequently"
|
|
611
|
+
"Document Exception detailing mitigating controls IF Unsupported",
|
|
612
|
+
"Document Residual risk acceptance IF Unsupported"
|
|
625
613
|
],
|
|
626
614
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
627
615
|
],
|
|
@@ -677,7 +665,7 @@ export class SafeguardManager {
|
|
|
677
665
|
title: "Address Unauthorized Software",
|
|
678
666
|
description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
|
|
679
667
|
implementationGroup: "IG1",
|
|
680
|
-
assetType: ["
|
|
668
|
+
assetType: ["Software"],
|
|
681
669
|
securityFunction: ["Respond"],
|
|
682
670
|
governanceElements: [
|
|
683
671
|
"Ensure",
|
|
@@ -689,9 +677,7 @@ export class SafeguardManager {
|
|
|
689
677
|
subTaxonomicalElements: [
|
|
690
678
|
"Address Unauthorized Software",
|
|
691
679
|
"Remove from use",
|
|
692
|
-
"Document Exception"
|
|
693
|
-
"Monthly",
|
|
694
|
-
"More Frequently"
|
|
680
|
+
"Document Exception"
|
|
695
681
|
],
|
|
696
682
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
697
683
|
],
|
|
@@ -747,21 +733,19 @@ export class SafeguardManager {
|
|
|
747
733
|
title: "Utilize Automated Software Inventory Tools",
|
|
748
734
|
description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
|
|
749
735
|
implementationGroup: "IG2",
|
|
750
|
-
assetType: ["
|
|
736
|
+
assetType: ["Software"],
|
|
751
737
|
securityFunction: ["Detect"],
|
|
752
738
|
governanceElements: [
|
|
753
739
|
"Utilize",
|
|
754
740
|
"when possible"
|
|
755
741
|
],
|
|
756
742
|
coreRequirements: [
|
|
757
|
-
"software inventory tools"
|
|
758
|
-
"automate the discovery and documentation of installed software"
|
|
743
|
+
"software inventory tools"
|
|
759
744
|
],
|
|
760
745
|
subTaxonomicalElements: [
|
|
761
746
|
"Automate Discovery",
|
|
762
747
|
"Automate Documentation",
|
|
763
|
-
"Installed Software"
|
|
764
|
-
"When possible"
|
|
748
|
+
"Installed Software"
|
|
765
749
|
],
|
|
766
750
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
767
751
|
],
|
|
@@ -817,7 +801,7 @@ export class SafeguardManager {
|
|
|
817
801
|
title: "Allowlist Authorized Software",
|
|
818
802
|
description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
|
|
819
803
|
implementationGroup: "IG2",
|
|
820
|
-
assetType: ["
|
|
804
|
+
assetType: ["Software"],
|
|
821
805
|
securityFunction: ["Protect"],
|
|
822
806
|
governanceElements: [
|
|
823
807
|
"Use",
|
|
@@ -829,13 +813,9 @@ export class SafeguardManager {
|
|
|
829
813
|
"only authorized software can execute or be accessed"
|
|
830
814
|
],
|
|
831
815
|
subTaxonomicalElements: [
|
|
832
|
-
"Allowlist Authorized Software",
|
|
833
816
|
"Technical Controls",
|
|
834
|
-
"Execute",
|
|
835
|
-
"Accessed"
|
|
836
|
-
"Reassess",
|
|
837
|
-
"Bi-Annually",
|
|
838
|
-
"More Frequently"
|
|
817
|
+
"Allow software to Execute",
|
|
818
|
+
"Allow software to be Accessed"
|
|
839
819
|
],
|
|
840
820
|
implementationSuggestions: [
|
|
841
821
|
"Application Allowlisting"
|
|
@@ -892,27 +872,20 @@ export class SafeguardManager {
|
|
|
892
872
|
title: "Allowlist Authorized Libraries",
|
|
893
873
|
description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
|
|
894
874
|
implementationGroup: "IG2",
|
|
895
|
-
assetType: ["
|
|
875
|
+
assetType: ["Software"],
|
|
896
876
|
securityFunction: ["Protect"],
|
|
897
877
|
governanceElements: [
|
|
898
878
|
"Use",
|
|
899
879
|
"Ensure",
|
|
900
|
-
"Block unauthorized libraries from loading into a system process",
|
|
901
880
|
"Reassess bi-annually, or more frequently"
|
|
902
881
|
],
|
|
903
882
|
coreRequirements: [
|
|
904
|
-
"technical controls",
|
|
905
883
|
"only authorized software libraries",
|
|
906
884
|
"are allowed to load into a system process"
|
|
907
885
|
],
|
|
908
886
|
subTaxonomicalElements: [
|
|
909
|
-
"Only authorized software libraries",
|
|
910
|
-
"Are allowed to load into a system process",
|
|
911
887
|
"Technical Controls",
|
|
912
|
-
"Block unauthorized libraries from loading into a system process"
|
|
913
|
-
"Reassess",
|
|
914
|
-
"Bi-Annually",
|
|
915
|
-
"More Frequently"
|
|
888
|
+
"Block unauthorized libraries from loading into a system process"
|
|
916
889
|
],
|
|
917
890
|
implementationSuggestions: [
|
|
918
891
|
"Specific .dll files",
|
|
@@ -971,25 +944,19 @@ export class SafeguardManager {
|
|
|
971
944
|
title: "Allowlist Authorized Scripts",
|
|
972
945
|
description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
|
|
973
946
|
implementationGroup: "IG3",
|
|
974
|
-
assetType: ["
|
|
947
|
+
assetType: ["Software"],
|
|
975
948
|
securityFunction: ["Protect"],
|
|
976
949
|
governanceElements: [
|
|
977
950
|
"Use",
|
|
978
951
|
"Ensure",
|
|
979
|
-
"Block unauthorized scripts from executing",
|
|
980
952
|
"Reassess bi-annually, or more frequently"
|
|
981
953
|
],
|
|
982
954
|
coreRequirements: [
|
|
983
|
-
"technical controls",
|
|
984
955
|
"only authorized files are allowed to execute"
|
|
985
956
|
],
|
|
986
957
|
subTaxonomicalElements: [
|
|
987
|
-
"Only authorized files are allowed to execute",
|
|
988
958
|
"Technical Controls",
|
|
989
959
|
"Block unauthorized scripts from executing",
|
|
990
|
-
"Reassess",
|
|
991
|
-
"Bi-Annually",
|
|
992
|
-
"More Frequently"
|
|
993
960
|
],
|
|
994
961
|
implementationSuggestions: [
|
|
995
962
|
"Digital signatures",
|
|
@@ -1214,7 +1181,7 @@ export class SafeguardManager {
|
|
|
1214
1181
|
"ACLS - \"aka\" Access Permissions",
|
|
1215
1182
|
"Local",
|
|
1216
1183
|
"Remote File Systems",
|
|
1217
|
-
"
|
|
1184
|
+
"Software",
|
|
1218
1185
|
"Databases"
|
|
1219
1186
|
],
|
|
1220
1187
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
@@ -1773,7 +1740,7 @@ export class SafeguardManager {
|
|
|
1773
1740
|
subTaxonomicalElements: [
|
|
1774
1741
|
"Encrypt Sensitive Data At Rest",
|
|
1775
1742
|
"Servers",
|
|
1776
|
-
"
|
|
1743
|
+
"Software",
|
|
1777
1744
|
"Databases",
|
|
1778
1745
|
"Storage Layer (server side) encryption",
|
|
1779
1746
|
"Minimum Requirement"
|
|
@@ -2044,7 +2011,7 @@ export class SafeguardManager {
|
|
|
2044
2011
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2045
2012
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2046
2013
|
implementationGroup: "IG1",
|
|
2047
|
-
assetType: ["end-user devices", "network devices", "IoT devices", "servers", "
|
|
2014
|
+
assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
|
|
2048
2015
|
securityFunction: ["Govern"],
|
|
2049
2016
|
governanceElements: [
|
|
2050
2017
|
"Establish",
|
|
@@ -2067,7 +2034,7 @@ export class SafeguardManager {
|
|
|
2067
2034
|
"Non-computing/IoT devices",
|
|
2068
2035
|
"Servers",
|
|
2069
2036
|
"OS",
|
|
2070
|
-
"
|
|
2037
|
+
"Software"
|
|
2071
2038
|
],
|
|
2072
2039
|
implementationSuggestions: [
|
|
2073
2040
|
"Secure Configuration Policy / Process",
|
|
@@ -2416,7 +2383,7 @@ export class SafeguardManager {
|
|
|
2416
2383
|
title: "Securely Manage Enterprise Assets and Software",
|
|
2417
2384
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
2418
2385
|
implementationGroup: "IG1",
|
|
2419
|
-
assetType: ["devices", "
|
|
2386
|
+
assetType: ["devices", "Software"],
|
|
2420
2387
|
securityFunction: ["Protect"],
|
|
2421
2388
|
governanceElements: [
|
|
2422
2389
|
"Do not use insecure management protocols",
|
|
@@ -2489,7 +2456,7 @@ export class SafeguardManager {
|
|
|
2489
2456
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
2490
2457
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
2491
2458
|
implementationGroup: "IG1",
|
|
2492
|
-
assetType: ["devices", "
|
|
2459
|
+
assetType: ["devices", "Software", "users"],
|
|
2493
2460
|
securityFunction: ["Protect"],
|
|
2494
2461
|
governanceElements: [
|
|
2495
2462
|
"Manage"
|
|
@@ -2562,7 +2529,7 @@ export class SafeguardManager {
|
|
|
2562
2529
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
2563
2530
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
2564
2531
|
implementationGroup: "IG2",
|
|
2565
|
-
assetType: ["devices", "
|
|
2532
|
+
assetType: ["devices", "Software"],
|
|
2566
2533
|
securityFunction: ["Protect"],
|
|
2567
2534
|
governanceElements: [
|
|
2568
2535
|
"Uninstall",
|
|
@@ -4075,7 +4042,7 @@ export class SafeguardManager {
|
|
|
4075
4042
|
title: "Establish and Maintain a Remediation Process",
|
|
4076
4043
|
description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
|
|
4077
4044
|
implementationGroup: "IG1",
|
|
4078
|
-
assetType: ["
|
|
4045
|
+
assetType: ["Software"],
|
|
4079
4046
|
securityFunction: ["Respond"],
|
|
4080
4047
|
governanceElements: [
|
|
4081
4048
|
"establish remediation process",
|
|
@@ -4239,7 +4206,7 @@ export class SafeguardManager {
|
|
|
4239
4206
|
title: "Perform Automated Application Patch Management",
|
|
4240
4207
|
description: "Perform automated application patch management on enterprise assets",
|
|
4241
4208
|
implementationGroup: "IG1",
|
|
4242
|
-
assetType: ["
|
|
4209
|
+
assetType: ["Software"],
|
|
4243
4210
|
securityFunction: ["Protect"],
|
|
4244
4211
|
governanceElements: [
|
|
4245
4212
|
"perform automated application patching",
|
|
@@ -4321,7 +4288,7 @@ export class SafeguardManager {
|
|
|
4321
4288
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
4322
4289
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
4323
4290
|
implementationGroup: "IG2",
|
|
4324
|
-
assetType: ["devices", "
|
|
4291
|
+
assetType: ["devices", "Software"],
|
|
4325
4292
|
securityFunction: ["Detect"],
|
|
4326
4293
|
governanceElements: [
|
|
4327
4294
|
"perform automated vulnerability scans",
|
|
@@ -4403,7 +4370,7 @@ export class SafeguardManager {
|
|
|
4403
4370
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
4404
4371
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
4405
4372
|
implementationGroup: "IG2",
|
|
4406
|
-
assetType: ["devices", "
|
|
4373
|
+
assetType: ["devices", "Software"],
|
|
4407
4374
|
securityFunction: ["Detect"],
|
|
4408
4375
|
governanceElements: [
|
|
4409
4376
|
"perform automated vulnerability scans",
|
|
@@ -4485,7 +4452,7 @@ export class SafeguardManager {
|
|
|
4485
4452
|
title: "Remediate Detected Vulnerabilities",
|
|
4486
4453
|
description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
|
|
4487
4454
|
implementationGroup: "IG2",
|
|
4488
|
-
assetType: ["
|
|
4455
|
+
assetType: ["Software"],
|
|
4489
4456
|
securityFunction: ["Respond"],
|
|
4490
4457
|
governanceElements: [
|
|
4491
4458
|
"remediate detected vulnerabilities",
|
|
@@ -5421,7 +5388,7 @@ export class SafeguardManager {
|
|
|
5421
5388
|
title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
|
|
5422
5389
|
description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
|
|
5423
5390
|
implementationGroup: "IG1",
|
|
5424
|
-
assetType: ["
|
|
5391
|
+
assetType: ["Software"],
|
|
5425
5392
|
securityFunction: ["Protect"],
|
|
5426
5393
|
governanceElements: [
|
|
5427
5394
|
"ensure only fully supported browsers and email clients are allowed to execute",
|
|
@@ -5658,7 +5625,7 @@ export class SafeguardManager {
|
|
|
5658
5625
|
title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
|
|
5659
5626
|
description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
5660
5627
|
implementationGroup: "IG2",
|
|
5661
|
-
assetType: ["
|
|
5628
|
+
assetType: ["Software"],
|
|
5662
5629
|
securityFunction: ["Protect"],
|
|
5663
5630
|
governanceElements: [
|
|
5664
5631
|
"restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
@@ -8252,7 +8219,7 @@ export class SafeguardManager {
|
|
|
8252
8219
|
title: "Perform Application Layer Filtering",
|
|
8253
8220
|
description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
|
|
8254
8221
|
implementationGroup: "IG3",
|
|
8255
|
-
assetType: ["network", "
|
|
8222
|
+
assetType: ["network", "Software"],
|
|
8256
8223
|
securityFunction: ["Protect"],
|
|
8257
8224
|
governanceElements: [
|
|
8258
8225
|
"perform application layer filtering",
|
|
@@ -9680,7 +9647,7 @@ export class SafeguardManager {
|
|
|
9680
9647
|
title: "Establish and Maintain a Secure Application Development Process",
|
|
9681
9648
|
description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
9682
9649
|
implementationGroup: "IG2",
|
|
9683
|
-
assetType: ["
|
|
9650
|
+
assetType: ["Software"],
|
|
9684
9651
|
securityFunction: ["Govern"],
|
|
9685
9652
|
governanceElements: [
|
|
9686
9653
|
"establish and maintain a secure application development process",
|
|
@@ -9763,7 +9730,7 @@ export class SafeguardManager {
|
|
|
9763
9730
|
title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
|
|
9764
9731
|
description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
|
|
9765
9732
|
implementationGroup: "IG2",
|
|
9766
|
-
assetType: ["
|
|
9733
|
+
assetType: ["Software"],
|
|
9767
9734
|
securityFunction: ["Govern"],
|
|
9768
9735
|
governanceElements: [
|
|
9769
9736
|
"establish and maintain a process to accept and address reports of software vulnerabilities",
|
|
@@ -9850,7 +9817,7 @@ export class SafeguardManager {
|
|
|
9850
9817
|
title: "Perform Root Cause Analysis on Security Vulnerabilities",
|
|
9851
9818
|
description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
|
|
9852
9819
|
implementationGroup: "IG2",
|
|
9853
|
-
assetType: ["
|
|
9820
|
+
assetType: ["Software"],
|
|
9854
9821
|
securityFunction: ["Protect"],
|
|
9855
9822
|
governanceElements: [
|
|
9856
9823
|
"perform root cause analysis on security vulnerabilities"
|
|
@@ -9922,7 +9889,7 @@ export class SafeguardManager {
|
|
|
9922
9889
|
title: "Establish and Manage an Inventory of Third-Party Software Components",
|
|
9923
9890
|
description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
|
|
9924
9891
|
implementationGroup: "IG2",
|
|
9925
|
-
assetType: ["
|
|
9892
|
+
assetType: ["Software"],
|
|
9926
9893
|
securityFunction: ["Identify"],
|
|
9927
9894
|
governanceElements: [
|
|
9928
9895
|
"establish and manage an updated inventory of third-party components used in development",
|
|
@@ -10002,7 +9969,7 @@ export class SafeguardManager {
|
|
|
10002
9969
|
title: "Use Up-to-Date and Trusted Third-Party Software Components",
|
|
10003
9970
|
description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
|
|
10004
9971
|
implementationGroup: "IG2",
|
|
10005
|
-
assetType: ["
|
|
9972
|
+
assetType: ["Software"],
|
|
10006
9973
|
securityFunction: ["Protect"],
|
|
10007
9974
|
governanceElements: [
|
|
10008
9975
|
"use up-to-date and trusted third-party software components"
|
|
@@ -10079,7 +10046,7 @@ export class SafeguardManager {
|
|
|
10079
10046
|
title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
|
|
10080
10047
|
description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
|
|
10081
10048
|
implementationGroup: "IG2",
|
|
10082
|
-
assetType: ["
|
|
10049
|
+
assetType: ["Software"],
|
|
10083
10050
|
securityFunction: ["Govern"],
|
|
10084
10051
|
governanceElements: [
|
|
10085
10052
|
"establish and maintain a severity rating system and process for application vulnerabilities",
|
|
@@ -10157,7 +10124,7 @@ export class SafeguardManager {
|
|
|
10157
10124
|
title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
|
|
10158
10125
|
description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
|
|
10159
10126
|
implementationGroup: "IG2",
|
|
10160
|
-
assetType: ["
|
|
10127
|
+
assetType: ["Software"],
|
|
10161
10128
|
securityFunction: ["Protect"],
|
|
10162
10129
|
governanceElements: [
|
|
10163
10130
|
"use standard, industry-recommended hardening configuration templates for application infrastructure components",
|
|
@@ -10390,7 +10357,7 @@ export class SafeguardManager {
|
|
|
10390
10357
|
title: "Apply Secure Design Principles in Application Architectures",
|
|
10391
10358
|
description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
|
|
10392
10359
|
implementationGroup: "IG2",
|
|
10393
|
-
assetType: ["
|
|
10360
|
+
assetType: ["Software"],
|
|
10394
10361
|
securityFunction: ["Protect"],
|
|
10395
10362
|
governanceElements: [
|
|
10396
10363
|
"apply secure design principles in application architectures"
|
|
@@ -10472,7 +10439,7 @@ export class SafeguardManager {
|
|
|
10472
10439
|
title: "Leverage Vetted Modules or Services for Application Security Components",
|
|
10473
10440
|
description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
|
|
10474
10441
|
implementationGroup: "IG2",
|
|
10475
|
-
assetType: ["
|
|
10442
|
+
assetType: ["Software"],
|
|
10476
10443
|
securityFunction: ["Identify"],
|
|
10477
10444
|
governanceElements: [
|
|
10478
10445
|
"leverage vetted modules or services for application security components",
|
|
@@ -10554,7 +10521,7 @@ export class SafeguardManager {
|
|
|
10554
10521
|
title: "Implement Code-Level Security Checks",
|
|
10555
10522
|
description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
|
|
10556
10523
|
implementationGroup: "IG3",
|
|
10557
|
-
assetType: ["
|
|
10524
|
+
assetType: ["Software"],
|
|
10558
10525
|
securityFunction: ["Protect"],
|
|
10559
10526
|
governanceElements: [
|
|
10560
10527
|
"apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
|
|
@@ -10628,7 +10595,7 @@ export class SafeguardManager {
|
|
|
10628
10595
|
title: "Conduct Application Penetration Testing",
|
|
10629
10596
|
description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
|
|
10630
10597
|
implementationGroup: "IG3",
|
|
10631
|
-
assetType: ["
|
|
10598
|
+
assetType: ["Software"],
|
|
10632
10599
|
securityFunction: ["Detect"],
|
|
10633
10600
|
governanceElements: [
|
|
10634
10601
|
"conduct application penetration testing"
|
|
@@ -10705,7 +10672,7 @@ export class SafeguardManager {
|
|
|
10705
10672
|
title: "Conduct Threat Modeling",
|
|
10706
10673
|
description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
|
|
10707
10674
|
implementationGroup: "IG3",
|
|
10708
|
-
assetType: ["
|
|
10675
|
+
assetType: ["Software"],
|
|
10709
10676
|
securityFunction: ["Protect"],
|
|
10710
10677
|
governanceElements: [
|
|
10711
10678
|
"conduct threat modeling"
|