Conversation
Added mapping reference for BSI TR-03185-2 including title, version, URL, and description. Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
SecurityCRob
requested review from
eddie-knight,
evankanderson,
funnelfiasco and
puerco
|
@funnelfiasco this is also just metadata, should be a quick merge |
evankanderson
left a comment
evankanderson
left a comment
There was a problem hiding this comment.
(I don't see changes needed, but I wanted to point out a relation with earlier mapping challenges.)
| Secure software is essential for the use of IT products in governments, | ||
| businesses and societies. The German Federal Office for Information | ||
| Security (BSI) appeals to all relevant stakeholders to consider information | ||
| security from the outset and to ease estimating a software component’s | ||
| security posture as far as possible in order to enable its secure use. |
There was a problem hiding this comment.
This looks to be the first paragraph from the regulation, which is fine.
In the larger context of these mappings, BSI TR-03185-2 is specifically focused on open source projects, and BSI TR-03185-1 provides equivalent guidance for proprietary software. This is in contrast to unlike the UK SSCOP, which does not differentiate the two, and produced more difficulty in the mappings.
There was a problem hiding this comment.
i agree with your assessment. Any suggested action?
There was a problem hiding this comment.
Mostly, I was pointing this out as a guideline for future framework mappings. It might also be worth an aside somewhere about differences between proprietary and open source software security (e.g. security by obscurity really doesn't exist, things like build pipelines are generally much more exposed, and it's much easier for malicious actors to propose changes / fork code).
|
One interesting note which I only realized when I was almost done with these reviews is that the BSI TR-03185-2 guidance is based on the 2025-02-25 version of baseline, and we have added and changed controls for the October release and the in-development release (these mappings should be applied to the in-development version, not the "current version"). |
|
Agreed @evankanderson — this is another reason that I'd argue in favor of only maintaining outgoing mappings. The mappings we add here are going into a future version of our catalog, which the BSI work did not consider when they mapped to the feb25 release. |
3 participants
Added mapping reference for BSI TR-03185-2 including title, version, URL, and description.