OWASP Product Security Capability Framework
The OWASP Product Security Capability Framework (PSCF)
This is the OWASP framework for building security capabilities into your product delivery process and teams.
The main website for the PSCF is on Prods.ec and includes many more details about the Framework along with explanatory videos.
We created the Product Security Capability Framework to provide a clear way of thinking about software product security and the delivery activities that lead to building and maintaining the right level of security for your customers and your organisation.
This framework is designed to be the foundation of:
- Your point-in-time appraisals of current security capability
- The security policy defining how your organisation works to build secure products
- Your strategic product security programme for continuous improvement
The framework currently consists of six (6) process areas and thirty-two (32) capabilities.
The current 1.0 version of the framework is available here in Google Sheets and anyone with can comment and contribute there.
The Sheet allows someone to do an assessment of their own organisation’s capabilities and get a report.
The full text and multimedia site is available on Prods.ec
Risk Management
PSCF-RM-OOM: Organisational Operating Model
The capability to evaluate and apply fair and scalable accountabilities and reponsibilities for capabilities across the delivery organisation.
PSCF-RM-CCI: Continuous Capability Improvement
The capability to evaluate capabilities in this framework that require improvement and apply improvements over time
PSCF-RM-TPC: Third-Party Components
The capability to evaluate and select third-party component suppliers
PSCF-RM-TPD: Third-Party Software Development Services
The capability to evaluate and select secure third-party development services suppliers
PSCF-RM-TPS: Third-Party Software-as-a-Service
The capability to evaluate and select secure SaaS offerings from third parties
PSCF-RM-CO: Compliance Obligations
The capability to define, understand and apply your obligations for compliance to your product delivery process
PSCF-RM-DPO: Data Processing Obligations
The capability to define, understand and apply your obligations for data processing to your product delivery process
PSCF-RM-BIA: Business Impact Assessment
The capability to analyse the business value of products and the effects security disruptions to that product will have on business
PSCF-RM-TI: Threat Intelligence
The capability to define and understand criminal abuses your product might be exposed to and apply this understanding to product delivery
Secure Product Management
PSCF-SPM-RC: Recommended Components
The capability to evaluate and select secure recommended components suitable for use in the organisation’s products
PSCF-SPM-RSS: Recommended Shared Security Services
The capability to evaluate and select shared security services suitable for use in the organisation’s products
PSCF-SPM-DM: Delivery Metrics
The capability to quantitatively evaluate the efficiency of delivery capabilities
PSCF-SPM-QM: Quality Metrics
The capability to quantitatively evaluate all aspects of your product’s quality
PSCF-SPM-POM: Product Operating Model
The capability to analyse your products and define their scope, processes and operating requirements across their lifecycle
PSCF-SPM-MAR: Minimum Application Requirements For Security
The capability to evaluate and select a list of minimum security requirements suitable for use in the organisation’s products
Secure Product Implementation
PSCF-SPI-DC: Data Classification
The capability to maintain a Data Catalogue of data in use by your product that records its criticality, sensitivity and requirement
PSCF-SPI-FRA: Functional Requirement Analysis
The capability to analyse functional product requirements for security requirements arising
PSCF-SPI-ATM: Agile Threat Modelling
The capability to evaluate product designs for their resilience to security threats
PSCF-SPI-CM: Component Management
The capability to evaluate, select and maintain secure product components used by your product
PSCF-SPI-SCP: Secure Coding Practices
The capability to define, understand and apply secure coding practices to the creation of source code for use in the organisation’s products
Secure Build And Deployment
PSCF-SBD-DM: Dependency Management
The capability to evaluate and select secure software dependencies used by your product
PSCF-SBD-BP: Build Process
The capability to securely assemble product artefacts from their codebases and dependencies
PSCF-SBD-AI: Artifact Integrity
The capability to use product artefacts from trusted sources and evaluate any that change
PSCF-SBD-DI: Data Integrity
use data in your product that is obtained from and stored in trusted sources and evaluate any changes
PSCF-SBD-SM: Secrets Management
The capability to restrict access to product secrets to only when required by those people and systems that need them
PSCF-SBD-DP: Deployment Process
securely deploy a product and its components from a known set of artefacts
Get Involved
Coming soon for now either comment on the Google Sheet or join Slack and then jump into the #project-pscf
Call for Sponsors
The PSCF would not have been possible without the project’s sponsors and supporters.
Project Sponsors & Supporters
Quality Control
PSCF-QC-CST: Component Security Testing
The capability to analyse products for security issues in source code and included libraries
PSCF-QC-EST: Exploratory Security Testing
The capability to analyse products for security issues in running systems
PSCF-QC-SDM: Security Defect Management
The capability to evaluate findings from security checks through to resolution
Operational Visibility
PSCF-OV-EM: Environment Management
The capability to apply secure system configurations and evaluate any that change
PSCF-OV-ID: Incident Detection
The capability to analyse product events and evaluate them for those that indicate a security incident
PSCF-OV-IR: Incident Response
The capability to apply appropriate responses to identified security incidents
PSCF Information
- Documentation
- Builder
Social Links