@@ -53,11 +53,13 @@ controls:
5353 Include designs in the project documentation that explains the actions
5454 and actors. Actors include any subsystem or entity that can influence
5555 another segment in the system.
56+ Ensure this is updated for new features or breaking changes.
57+
5658
5759id : OSPS-SA-02
5860 title : |
59- Include descriptions of all external software interfaces of the released
60- software assets
61+ The project documentation MUST include descriptions of all external
62+ software interfaces of the released software assets.
6163objective : |
6264 Provide users and developers with an understanding of how to interact with
6365 the project's software and integrate it with other systems, enabling them
@@ -91,19 +93,21 @@ controls:
9193 assessment-requirements :
9294 - id : OSPS-SA-02.01
9395 text : |
94- The project documentation MUST include descriptions of all external
95- software interfaces of the released software assets.
96+ When the project has made a release, the project documentation MUST
97+ include descriptions of all external software interfaces of the
98+ released software assets.
9699applicability :
97100 - Maturity Level 2
98101 - Maturity Level 3
99102 recommendation : |
100- Document all software interfaces (APIs) of the released software assets,
101- explaining how users can interact with the software and what data is
102- expected or produced.
103+ Document all software interfaces (APIs) of the released software
104+ assets, explaining how users can interact with the software and what
105+ data is expected or produced.
106+ Ensure this is updated for new features or breaking changes.
103107
104108id : OSPS-SA-03
105109 title : |
106- Perform a threat modeling and attack surface analysis
110+ The project MUST assess the security posture of all software assets.
107111objective : |
108112 Provide project maintainers an understanding of how the software can be
109113 misused or broken allows them to plan mitigations to close off the potential
@@ -144,9 +148,9 @@ controls:
144148 assessment-requirements :
145149 - id : OSPS-SA-03.01
146150 text : |
147- The project MUST perform a security assessment to understand the most
148- likely and impactful potential security problems that could occur
149- within the software.
151+ When the project has made a release, the project MUST perform a
152+ security assessment to understand the most likely and impactful
153+ potential security problems that could occur within the software.
150154applicability :
151155 - Maturity Level 2
152156 - Maturity Level 3
@@ -157,11 +161,13 @@ controls:
157161 realized helps the project manage and address risk. This information
158162 is useful to downstream consumers to demonstrate the security acumen
159163 and practices of the project.
164+ Ensure this is updated for new features or breaking changes.
160165id : OSPS-SA-03.02
161166 text : |
162- The project MUST perform a threat modeling and attack surface analysis to
163- understand and protect against attacks on critical code paths, functions,
164- and interactions within the system.
167+ When the project has made a release, the project MUST perform a threat
168+ modeling and attack surface analysis to understand and protect against
169+ attacks on critical code paths, functions, and interactions within the
170+ system.
165171applicability :
166172 - Maturity Level 3
167173 recommendation : |
@@ -171,3 +177,4 @@ controls:
171177 be be broken or compromised. Each identified threat is listed out so
172178 the project can then think about how to proactively avoid or close off
173179 any gaps/vulnerabilities that could arise.
180+ Ensure this is updated for new features or breaking changes.
0 commit comments