mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 15:29:01 +03:00
Add launch content: HN post, Reddit posts, Twitter thread, LinkedIn, Dev.to article
This commit is contained in:
@@ -0,0 +1,177 @@
|
||||
# ATT&CK Coverage Summary
|
||||
|
||||
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
|
||||
|
||||
## Tactic Coverage Matrix
|
||||
|
||||
| ATT&CK Tactic | ID | Relevant Subdomains | Skills Count |
|
||||
|---------------|-----|---------------------|--------------|
|
||||
| Reconnaissance | TA0043 | threat-intelligence, penetration-testing, red-teaming | ~48 |
|
||||
| Resource Development | TA0042 | threat-intelligence, red-teaming | ~30 |
|
||||
| Initial Access | TA0001 | web-application-security, phishing-defense, api-security | ~45 |
|
||||
| Execution | TA0002 | malware-analysis, endpoint-security, soc-operations | ~32 |
|
||||
| Persistence | TA0003 | threat-hunting, digital-forensics, endpoint-security | ~28 |
|
||||
| Privilege Escalation | TA0004 | penetration-testing, red-teaming, identity-access-management | ~40 |
|
||||
| Defense Evasion | TA0005 | malware-analysis, endpoint-security, threat-hunting | ~25 |
|
||||
| Credential Access | TA0006 | identity-access-management, penetration-testing | ~30 |
|
||||
| Discovery | TA0007 | penetration-testing, threat-hunting, network-security | ~35 |
|
||||
| Lateral Movement | TA0008 | red-teaming, network-security, soc-operations | ~28 |
|
||||
| Collection | TA0009 | digital-forensics, threat-hunting | ~22 |
|
||||
| Command and Control | TA0011 | threat-intelligence, network-security, soc-operations | ~30 |
|
||||
| Exfiltration | TA0010 | threat-hunting, digital-forensics, network-security | ~20 |
|
||||
| Impact | TA0040 | ransomware-defense, incident-response, ot-ics-security | ~35 |
|
||||
|
||||
## Subdomain-to-Tactic Heat Map
|
||||
|
||||
Shows which subdomains contribute skills to each ATT&CK tactic. Intensity indicates relevance (H = High, M = Medium, L = Low).
|
||||
|
||||
| Subdomain (skills) | Recon | Res Dev | Init Access | Exec | Persist | Priv Esc | Def Evasion | Cred Access | Disc | Lat Mov | Collect | C2 | Exfil | Impact |
|
||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||
| web-application-security (41) | L | - | **H** | M | L | M | L | M | L | - | - | - | - | M |
|
||||
| threat-intelligence (43) | **H** | **H** | M | L | L | - | L | - | M | - | - | **H** | L | L |
|
||||
| threat-hunting (35) | L | - | M | M | **H** | M | **H** | M | **H** | M | **H** | M | **H** | M |
|
||||
| digital-forensics (34) | - | - | L | M | **H** | L | M | L | L | M | **H** | L | M | M |
|
||||
| malware-analysis (34) | - | L | M | **H** | **H** | M | **H** | L | L | L | M | **H** | L | M |
|
||||
| identity-access-management (33) | - | - | M | L | M | **H** | L | **H** | L | M | - | - | - | - |
|
||||
| network-security (33) | M | - | M | L | L | L | L | L | M | **H** | L | **H** | **H** | L |
|
||||
| soc-operations (33) | L | - | M | **H** | M | M | M | M | M | M | M | M | M | M |
|
||||
| cloud-security (48) | M | M | **H** | M | M | **H** | M | **H** | **H** | M | M | L | M | M |
|
||||
| api-security (28) | L | - | **H** | M | L | M | L | **H** | L | - | M | - | M | L |
|
||||
| ot-ics-security (28) | M | L | M | M | M | L | L | M | **H** | M | **H** | M | L | **H** |
|
||||
| container-security (26) | L | L | M | **H** | M | **H** | **H** | M | M | L | L | L | M | M |
|
||||
| incident-response (24) | - | - | M | M | M | M | M | M | L | M | M | M | M | **H** |
|
||||
| vulnerability-management (24) | M | - | **H** | M | L | M | L | L | **H** | L | - | - | - | M |
|
||||
| penetration-testing (23) | **H** | M | **H** | **H** | M | **H** | M | **H** | **H** | M | M | M | M | L |
|
||||
| red-teaming (24) | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** |
|
||||
| devsecops (16) | L | L | M | M | L | M | L | M | L | - | - | - | - | L |
|
||||
| endpoint-security (16) | - | - | M | **H** | **H** | **H** | **H** | M | M | M | M | M | L | M |
|
||||
| phishing-defense (16) | M | M | **H** | M | - | - | M | **H** | - | - | M | L | L | L |
|
||||
| cryptography (13) | - | - | L | - | - | - | M | **H** | - | - | M | M | **H** | L |
|
||||
| zero-trust-architecture (13) | - | - | M | L | L | **H** | L | **H** | L | **H** | L | L | M | - |
|
||||
| mobile-security (12) | M | L | **H** | M | M | M | M | M | M | L | M | M | M | L |
|
||||
| compliance-governance (5) | L | L | L | - | - | L | - | L | L | - | - | - | - | L |
|
||||
| ransomware-defense (5) | - | - | M | M | M | L | M | - | - | - | M | M | L | **H** |
|
||||
|
||||
## Key Technique Coverage
|
||||
|
||||
High-confidence technique-to-skill mappings based on skill content analysis.
|
||||
|
||||
### Initial Access (TA0001) -- 45 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Phishing | T1566 | analyzing-phishing-email-headers, analyzing-certificate-transparency-for-phishing, 14 phishing-defense skills |
|
||||
| Exploit Public-Facing Application | T1190 | 41 web-application-security skills, 28 api-security skills |
|
||||
| External Remote Services | T1133 | network-security VPN/remote access skills |
|
||||
| Valid Accounts | T1078 | identity-access-management credential skills |
|
||||
| Supply Chain Compromise | T1195 | analyzing-supply-chain-malware-artifacts, devsecops dependency scanning |
|
||||
|
||||
### Execution (TA0002) -- 32 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Command and Scripting Interpreter | T1059 | malware-analysis script analysis skills |
|
||||
| Exploitation for Client Execution | T1203 | web-application-security exploit skills |
|
||||
| User Execution | T1204 | phishing-defense awareness skills |
|
||||
| Container Administration Command | T1609 | container-security skills |
|
||||
|
||||
### Persistence (TA0003) -- 28 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Boot or Logon Autostart Execution | T1547 | analyzing-malware-persistence-with-autoruns, analyzing-windows-registry-for-artifacts |
|
||||
| Scheduled Task/Job | T1053 | endpoint-security scheduled task skills |
|
||||
| Create Account | T1136 | identity-access-management monitoring skills |
|
||||
| Implant Internal Image | T1525 | container-security image scanning skills |
|
||||
|
||||
### Privilege Escalation (TA0004) -- 40 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Exploitation for Privilege Escalation | T1068 | penetration-testing privilege escalation skills |
|
||||
| Access Token Manipulation | T1134 | identity-access-management token skills |
|
||||
| Container Escape | T1611 | container-security escape detection skills |
|
||||
| Domain Policy Modification | T1484 | identity-access-management AD skills |
|
||||
|
||||
### Defense Evasion (TA0005) -- 25 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Obfuscated Files or Information | T1027 | analyzing-packed-malware-with-upx-unpacker, malware deobfuscation skills |
|
||||
| Masquerading | T1036 | threat-hunting detection skills |
|
||||
| Rootkit | T1014 | analyzing-bootkit-and-rootkit-samples |
|
||||
| Indicator Removal | T1070 | digital-forensics anti-forensics skills |
|
||||
|
||||
### Credential Access (TA0006) -- 30 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| OS Credential Dumping | T1003 | analyzing-memory-dumps-with-volatility, penetration-testing credential skills |
|
||||
| Brute Force | T1110 | identity-access-management authentication skills |
|
||||
| Steal Web Session Cookie | T1539 | web-application-security session skills |
|
||||
| Unsecured Credentials | T1552 | cloud-security secrets management skills |
|
||||
|
||||
### Discovery (TA0007) -- 35 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Network Service Discovery | T1046 | network-security scanning skills, penetration-testing recon |
|
||||
| System Information Discovery | T1082 | threat-hunting system enumeration skills |
|
||||
| Cloud Infrastructure Discovery | T1580 | cloud-security asset discovery skills |
|
||||
| Account Discovery | T1087 | identity-access-management enumeration skills |
|
||||
|
||||
### Lateral Movement (TA0008) -- 28 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Remote Services | T1021 | network-security remote access skills |
|
||||
| Lateral Tool Transfer | T1570 | threat-hunting lateral movement detection skills |
|
||||
| Use Alternate Authentication Material | T1550 | identity-access-management pass-the-hash skills |
|
||||
| Exploitation of Remote Services | T1210 | penetration-testing exploitation skills |
|
||||
|
||||
### Collection (TA0009) -- 22 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Data from Local System | T1005 | digital-forensics disk/file analysis skills |
|
||||
| Data from Network Shared Drive | T1039 | threat-hunting data access monitoring skills |
|
||||
| Email Collection | T1114 | analyzing-outlook-pst-for-email-forensics |
|
||||
| Screen Capture | T1113 | malware-analysis behavior analysis skills |
|
||||
|
||||
### Command and Control (TA0011) -- 30 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Application Layer Protocol | T1071 | analyzing-command-and-control-communication, network-security C2 detection |
|
||||
| Encrypted Channel | T1573 | analyzing-network-covert-channels-in-malware |
|
||||
| Ingress Tool Transfer | T1105 | analyzing-cobalt-strike-beacon-configuration |
|
||||
| Proxy | T1090 | network-security proxy analysis skills |
|
||||
|
||||
### Exfiltration (TA0010) -- 20 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Exfiltration Over C2 Channel | T1041 | analyzing-dns-logs-for-exfiltration |
|
||||
| Exfiltration Over Alternative Protocol | T1048 | network-security protocol analysis skills |
|
||||
| Exfiltration Over Web Service | T1567 | cloud-security data loss prevention skills |
|
||||
|
||||
### Impact (TA0040) -- 35 skills
|
||||
|
||||
| Technique | ID | Primary Skills |
|
||||
|-----------|----|---------------|
|
||||
| Data Encrypted for Impact | T1486 | analyzing-ransomware-encryption-mechanisms, 5 ransomware-defense skills |
|
||||
| Service Stop | T1489 | incident-response service restoration skills |
|
||||
| Inhibit System Recovery | T1490 | ransomware-defense recovery skills |
|
||||
| Manipulation of Control | T0831 | ot-ics-security control system skills |
|
||||
|
||||
## Coverage Gaps
|
||||
|
||||
Areas where additional skills would improve ATT&CK coverage:
|
||||
|
||||
| Gap Area | ATT&CK Techniques | Recommendation |
|
||||
|----------|-------------------|----------------|
|
||||
| Firmware attacks | T1542 (Pre-OS Boot) | Add UEFI/firmware analysis skills |
|
||||
| Audio/video capture | T1123, T1125 | Add surveillance detection skills |
|
||||
| Cloud-specific lateral movement | T1550.001 (Web Session Cookie in cloud) | Expand cloud-security lateral movement |
|
||||
| Hardware additions | T1200 | Add physical security assessment skills |
|
||||
| Traffic signaling | T1205 | Add network covert channel detection skills |
|
||||
@@ -0,0 +1,133 @@
|
||||
# NIST Cybersecurity Framework 2.0 Mapping
|
||||
|
||||
This directory maps the cybersecurity skills in this repository to the [NIST Cybersecurity Framework (CSF) 2.0](https://www.nist.gov/cyberframework), published February 2024.
|
||||
|
||||
## Overview
|
||||
|
||||
NIST CSF 2.0 organizes cybersecurity activities into 6 core functions that represent the full lifecycle of managing cybersecurity risk. This mapping enables organizations to:
|
||||
|
||||
- **Align skill development** to their CSF implementation tier
|
||||
- **Identify training gaps** across the CSF functions
|
||||
- **Build role-based learning paths** using CSF categories
|
||||
- **Automate compliance mapping** through AI agent queries
|
||||
|
||||
## CSF 2.0 Functions and Skill Alignment
|
||||
|
||||
### Govern (GV) -- Cybersecurity Risk Management Strategy
|
||||
|
||||
Establishing and monitoring the organization's cybersecurity risk management strategy, expectations, and policy.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Organizational Context | GV.OC | compliance-governance | 5 |
|
||||
| Risk Management Strategy | GV.RM | compliance-governance, vulnerability-management | 29 |
|
||||
| Roles, Responsibilities, and Authorities | GV.RR | compliance-governance, identity-access-management | 38 |
|
||||
| Policy | GV.PO | compliance-governance, zero-trust-architecture | 18 |
|
||||
| Oversight | GV.OV | compliance-governance, soc-operations | 38 |
|
||||
| Cybersecurity Supply Chain Risk Management | GV.SC | devsecops, container-security | 42 |
|
||||
|
||||
**Primary subdomains:** compliance-governance (5), identity-access-management (33), devsecops (16)
|
||||
|
||||
### Identify (ID) -- Understanding Organizational Cybersecurity Risk
|
||||
|
||||
Understanding the organization's current cybersecurity risks.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Asset Management | ID.AM | cloud-security, container-security, network-security | 107 |
|
||||
| Risk Assessment | ID.RA | vulnerability-management, threat-intelligence | 67 |
|
||||
| Improvement | ID.IM | soc-operations, compliance-governance | 38 |
|
||||
|
||||
**Primary subdomains:** vulnerability-management (24), threat-intelligence (43), cloud-security (48)
|
||||
|
||||
### Protect (PR) -- Safeguarding Assets
|
||||
|
||||
Using safeguards to prevent or reduce cybersecurity risk.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Identity Management, Authentication, and Access Control | PR.AA | identity-access-management, zero-trust-architecture | 46 |
|
||||
| Awareness and Training | PR.AT | phishing-defense, compliance-governance | 21 |
|
||||
| Data Security | PR.DS | cryptography, cloud-security, api-security | 89 |
|
||||
| Platform Security | PR.PS | endpoint-security, container-security, devsecops | 58 |
|
||||
| Technology Infrastructure Resilience | PR.IR | network-security, zero-trust-architecture | 46 |
|
||||
|
||||
**Primary subdomains:** zero-trust-architecture (13), devsecops (16), identity-access-management (33), cryptography (13)
|
||||
|
||||
### Detect (DE) -- Finding and Analyzing Cybersecurity Events
|
||||
|
||||
Finding and analyzing possible cybersecurity compromises and anomalies.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Continuous Monitoring | DE.CM | soc-operations, threat-hunting, network-security | 101 |
|
||||
| Adverse Event Analysis | DE.AE | threat-hunting, malware-analysis, soc-operations | 102 |
|
||||
|
||||
**Primary subdomains:** threat-hunting (35), soc-operations (33), malware-analysis (34)
|
||||
|
||||
### Respond (RS) -- Taking Action Regarding Detected Incidents
|
||||
|
||||
Managing and responding to detected cybersecurity incidents.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Incident Management | RS.MA | incident-response, soc-operations | 57 |
|
||||
| Incident Analysis | RS.AN | digital-forensics, malware-analysis, threat-intelligence | 111 |
|
||||
| Incident Response Reporting and Communication | RS.CO | incident-response, compliance-governance | 29 |
|
||||
| Incident Mitigation | RS.MI | incident-response, endpoint-security, network-security | 73 |
|
||||
|
||||
**Primary subdomains:** incident-response (24), digital-forensics (34), malware-analysis (34)
|
||||
|
||||
### Recover (RC) -- Restoring Capabilities After an Incident
|
||||
|
||||
Restoring assets and operations affected by a cybersecurity incident.
|
||||
|
||||
| Category | ID | Mapped Subdomains | Skills |
|
||||
|----------|-----|-------------------|--------|
|
||||
| Incident Recovery Plan Execution | RC.RP | incident-response, ransomware-defense | 29 |
|
||||
| Incident Recovery Communication | RC.CO | incident-response, compliance-governance | 29 |
|
||||
|
||||
**Primary subdomains:** incident-response (24), ransomware-defense (5)
|
||||
|
||||
## Function Coverage Distribution
|
||||
|
||||
```
|
||||
Govern (GV): ████████████░░░░░░░░ ~54 skills (compliance, IAM, devsecops)
|
||||
Identify (ID): ██████████████████░░ ~115 skills (vuln-mgmt, threat-intel, cloud)
|
||||
Protect (PR): ████████████████████ ~160 skills (IAM, ZTA, devsecops, crypto)
|
||||
Detect (DE): ████████████████░░░░ ~102 skills (threat-hunting, SOC, malware)
|
||||
Respond (RS): ██████████████████░░ ~111 skills (IR, forensics, malware)
|
||||
Recover (RC): ████░░░░░░░░░░░░░░░░ ~29 skills (IR recovery, ransomware)
|
||||
```
|
||||
|
||||
## How to Use This Mapping
|
||||
|
||||
### For Organizations
|
||||
|
||||
1. Determine your target CSF implementation tier (Partial, Risk Informed, Repeatable, Adaptive)
|
||||
2. Identify your CSF function priorities
|
||||
3. Use the category tables above to find relevant skill subdomains
|
||||
4. Deploy skills from those subdomains to your team's training plan
|
||||
|
||||
### For AI Agents
|
||||
|
||||
Query skills by CSF function using subdomain filters:
|
||||
|
||||
```
|
||||
# Find all Detect (DE) function skills
|
||||
Filter: subdomain IN (threat-hunting, soc-operations, malware-analysis)
|
||||
|
||||
# Find all Protect (PR) function skills
|
||||
Filter: subdomain IN (identity-access-management, zero-trust-architecture, devsecops, cryptography)
|
||||
```
|
||||
|
||||
### For Security Teams
|
||||
|
||||
Use the alignment table in [`csf-alignment.md`](csf-alignment.md) for a complete subdomain-to-category cross-reference.
|
||||
|
||||
## References
|
||||
|
||||
- [NIST CSF 2.0 (February 2024)](https://www.nist.gov/cyberframework)
|
||||
- [NIST SP 800-53 Rev. 5 Control Mapping](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
|
||||
- [CSF 2.0 Quick Start Guides](https://www.nist.gov/cyberframework/getting-started)
|
||||
- [CSF 2.0 Reference Tool](https://csrc.nist.gov/Projects/Cybersecurity-Framework/Filters)
|
||||
@@ -0,0 +1,102 @@
|
||||
# NIST CSF 2.0 Alignment Table
|
||||
|
||||
Complete mapping of each skill subdomain to NIST CSF 2.0 functions and categories.
|
||||
|
||||
## Subdomain-to-CSF Alignment
|
||||
|
||||
| Subdomain | Skills | GV | ID | PR | PR | DE | RS | RC |
|
||||
|-----------|--------|-----|-----|-----|-----|-----|-----|-----|
|
||||
| | | Govern | Identify | Protect | Protect | Detect | Respond | Recover |
|
||||
|
||||
### Detailed Alignment
|
||||
|
||||
| Subdomain (Skills) | Primary CSF Function | CSF Categories | Alignment Rationale |
|
||||
|---------------------|---------------------|----------------|---------------------|
|
||||
| api-security (28) | Protect (PR) | PR.DS, PR.PS | API hardening, authentication, input validation |
|
||||
| cloud-security (48) | Identify (ID), Protect (PR) | ID.AM, PR.DS, PR.PS, PR.IR | Cloud asset management, data protection, infrastructure resilience |
|
||||
| compliance-governance (5) | Govern (GV) | GV.OC, GV.RM, GV.RR, GV.PO, GV.OV | Risk strategy, policy, organizational oversight |
|
||||
| container-security (26) | Protect (PR) | PR.PS, GV.SC | Platform security, supply chain risk management |
|
||||
| cryptography (13) | Protect (PR) | PR.DS | Data confidentiality and integrity at rest and in transit |
|
||||
| devsecops (16) | Protect (PR), Govern (GV) | PR.PS, GV.SC | Secure development lifecycle, supply chain security |
|
||||
| digital-forensics (34) | Respond (RS) | RS.AN, RS.MA | Incident analysis, evidence collection and examination |
|
||||
| endpoint-security (16) | Protect (PR), Detect (DE) | PR.PS, DE.CM, DE.AE | Endpoint hardening, continuous monitoring, threat detection |
|
||||
| identity-access-management (33) | Protect (PR), Govern (GV) | PR.AA, GV.RR | Identity lifecycle, authentication, authorization, access governance |
|
||||
| incident-response (24) | Respond (RS), Recover (RC) | RS.MA, RS.AN, RS.MI, RS.CO, RC.RP, RC.CO | Full incident lifecycle from detection through recovery |
|
||||
| malware-analysis (34) | Detect (DE), Respond (RS) | DE.AE, RS.AN | Adverse event analysis, reverse engineering, threat characterization |
|
||||
| mobile-security (12) | Protect (PR) | PR.PS, PR.DS | Mobile platform security, application data protection |
|
||||
| network-security (33) | Protect (PR), Detect (DE) | PR.IR, DE.CM | Network infrastructure resilience, traffic monitoring |
|
||||
| ot-ics-security (28) | Protect (PR), Detect (DE) | PR.PS, PR.IR, DE.CM | Industrial control system protection and monitoring |
|
||||
| penetration-testing (23) | Identify (ID) | ID.RA | Risk assessment through offensive security testing |
|
||||
| phishing-defense (16) | Protect (PR), Detect (DE) | PR.AT, DE.CM, DE.AE | Security awareness training, phishing detection |
|
||||
| ransomware-defense (5) | Respond (RS), Recover (RC) | RS.MI, RC.RP | Ransomware mitigation and recovery planning |
|
||||
| red-teaming (24) | Identify (ID) | ID.RA, ID.IM | Adversary simulation for risk assessment and program improvement |
|
||||
| soc-operations (33) | Detect (DE), Respond (RS) | DE.CM, DE.AE, RS.MA | Continuous monitoring, alert triage, incident management |
|
||||
| threat-hunting (35) | Detect (DE) | DE.CM, DE.AE | Proactive threat detection, hypothesis-driven analysis |
|
||||
| threat-intelligence (43) | Identify (ID), Detect (DE) | ID.RA, DE.AE | Threat landscape understanding, intelligence-driven detection |
|
||||
| vulnerability-management (24) | Identify (ID) | ID.RA, GV.RM | Vulnerability identification, risk assessment, remediation prioritization |
|
||||
| web-application-security (41) | Protect (PR), Identify (ID) | PR.DS, PR.PS, ID.RA | Application security testing and hardening |
|
||||
| zero-trust-architecture (13) | Protect (PR) | PR.AA, PR.IR | Zero trust access control and network segmentation |
|
||||
|
||||
## CSF Category Coverage Summary
|
||||
|
||||
### Govern (GV)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Organizational Context | GV.OC | Understanding the organizational mission and stakeholder expectations | compliance-governance |
|
||||
| Risk Management Strategy | GV.RM | Risk management priorities, constraints, and appetite | compliance-governance, vulnerability-management |
|
||||
| Roles, Responsibilities, and Authorities | GV.RR | Cybersecurity roles and authorities are established | compliance-governance, identity-access-management |
|
||||
| Policy | GV.PO | Organizational cybersecurity policy is established | compliance-governance, zero-trust-architecture |
|
||||
| Oversight | GV.OV | Results of cybersecurity activities are reviewed | compliance-governance, soc-operations |
|
||||
| Cybersecurity Supply Chain Risk Management | GV.SC | Supply chain risks are managed | devsecops, container-security |
|
||||
|
||||
### Identify (ID)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Asset Management | ID.AM | Assets that enable the organization are identified and managed | cloud-security, container-security, network-security |
|
||||
| Risk Assessment | ID.RA | The cybersecurity risk to the organization is understood | vulnerability-management, threat-intelligence, penetration-testing, red-teaming |
|
||||
| Improvement | ID.IM | Improvements to organizational cybersecurity are identified | soc-operations, red-teaming, compliance-governance |
|
||||
|
||||
### Protect (PR)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Identity Management, Authentication, and Access Control | PR.AA | Access is limited to authorized users, services, and hardware | identity-access-management, zero-trust-architecture |
|
||||
| Awareness and Training | PR.AT | Personnel are provided cybersecurity awareness and training | phishing-defense, compliance-governance |
|
||||
| Data Security | PR.DS | Data are managed consistent with the organization's risk strategy | cryptography, cloud-security, api-security |
|
||||
| Platform Security | PR.PS | Hardware, software, and services are managed consistent with risk strategy | endpoint-security, container-security, devsecops, ot-ics-security |
|
||||
| Technology Infrastructure Resilience | PR.IR | Security architectures are managed to protect asset confidentiality, integrity, and availability | network-security, zero-trust-architecture, ot-ics-security |
|
||||
|
||||
### Detect (DE)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Continuous Monitoring | DE.CM | Assets are monitored to find anomalies and indicators of compromise | soc-operations, threat-hunting, network-security, endpoint-security |
|
||||
| Adverse Event Analysis | DE.AE | Anomalies and potential adverse events are analyzed | threat-hunting, malware-analysis, soc-operations, threat-intelligence |
|
||||
|
||||
### Respond (RS)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Incident Management | RS.MA | Responses to detected incidents are managed | incident-response, soc-operations |
|
||||
| Incident Analysis | RS.AN | Investigations are conducted to understand the incident | digital-forensics, malware-analysis, threat-intelligence |
|
||||
| Incident Response Reporting and Communication | RS.CO | Response activities are coordinated with internal and external stakeholders | incident-response, compliance-governance |
|
||||
| Incident Mitigation | RS.MI | Activities are performed to prevent expansion and mitigate effects | incident-response, endpoint-security, network-security |
|
||||
|
||||
### Recover (RC)
|
||||
|
||||
| Category | ID | Description | Subdomain Coverage |
|
||||
|----------|-----|------------|-------------------|
|
||||
| Incident Recovery Plan Execution | RC.RP | Restoration activities are performed to ensure operational availability | incident-response, ransomware-defense |
|
||||
| Incident Recovery Communication | RC.CO | Restoration activities are coordinated with internal and external parties | incident-response, compliance-governance |
|
||||
|
||||
## Gap Analysis
|
||||
|
||||
| CSF Category | Current Coverage | Gap |
|
||||
|-------------|-----------------|-----|
|
||||
| GV.OC | Low (5 skills) | Need more organizational security context and mission alignment skills |
|
||||
| GV.PO | Low | Need dedicated policy development and management skills |
|
||||
| PR.AT | Moderate (16 skills) | Could expand security awareness training beyond phishing |
|
||||
| RC.RP | Low (29 skills) | Need more disaster recovery and business continuity skills |
|
||||
| RC.CO | Low | Need dedicated incident communication and stakeholder management skills |
|
||||
@@ -0,0 +1,177 @@
|
||||
# OWASP Top 10 (2025) Mapping
|
||||
|
||||
This directory maps the cybersecurity skills in this repository to the [OWASP Top 10](https://owasp.org/www-project-top-ten/) categories for web application security risks.
|
||||
|
||||
## Overview
|
||||
|
||||
The OWASP Top 10 represents the most critical security risks to web applications. This mapping connects hands-on skills to each risk category, enabling teams to build targeted training programs for secure development and application security testing.
|
||||
|
||||
## OWASP Top 10 2025 Skill Mapping
|
||||
|
||||
### A01:2025 -- Broken Access Control
|
||||
|
||||
Restrictions on what authenticated users are allowed to do are not properly enforced.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| web-application-security | 41 | IDOR, privilege escalation, path traversal, CORS misconfiguration |
|
||||
| identity-access-management | 33 | RBAC, ABAC, session management, OAuth/OIDC flaws |
|
||||
| api-security | 28 | Broken object level authorization (BOLA), function level authorization |
|
||||
| zero-trust-architecture | 13 | Least privilege enforcement, microsegmentation |
|
||||
|
||||
**Example skills:** Implementing RBAC, testing for IDOR vulnerabilities, configuring OAuth 2.0 securely, enforcing API authorization policies.
|
||||
|
||||
### A02:2025 -- Cryptographic Failures
|
||||
|
||||
Failures related to cryptography that lead to exposure of sensitive data.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| cryptography | 13 | TLS configuration, key management, hashing, encryption at rest |
|
||||
| web-application-security | 41 | HTTPS enforcement, cookie security flags, certificate validation |
|
||||
| cloud-security | 48 | KMS configuration, secrets management, encryption in transit |
|
||||
| api-security | 28 | API transport security, token encryption |
|
||||
|
||||
**Example skills:** Configuring TLS 1.3, implementing envelope encryption with KMS, securing JWT tokens, certificate pinning.
|
||||
|
||||
### A03:2025 -- Injection
|
||||
|
||||
User-supplied data is sent to an interpreter as part of a command or query without proper validation.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| web-application-security | 41 | SQL injection, XSS, command injection, LDAP injection |
|
||||
| api-security | 28 | GraphQL injection, NoSQL injection, header injection |
|
||||
| devsecops | 16 | SAST/DAST scanning, input validation, parameterized queries |
|
||||
| penetration-testing | 23 | Injection testing, payload crafting, WAF bypass |
|
||||
|
||||
**Example skills:** Exploiting and remediating SQL injection, testing for stored/reflected XSS, configuring parameterized queries, SAST pipeline integration.
|
||||
|
||||
### A04:2025 -- Insecure Design
|
||||
|
||||
Risks related to design and architectural flaws, calling for more use of threat modeling and secure design patterns.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| devsecops | 16 | Threat modeling, secure SDLC, security requirements |
|
||||
| zero-trust-architecture | 13 | Zero trust design principles, defense in depth |
|
||||
| compliance-governance | 5 | Security architecture review, risk assessment frameworks |
|
||||
| web-application-security | 41 | Business logic flaws, trust boundary definition |
|
||||
|
||||
**Example skills:** Conducting threat modeling with STRIDE, implementing secure design patterns, defining trust boundaries, security architecture review.
|
||||
|
||||
### A05:2025 -- Security Misconfiguration
|
||||
|
||||
Missing or incorrect security hardening across the application stack.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| cloud-security | 48 | Cloud service misconfiguration, IAM policy errors, S3 bucket exposure |
|
||||
| container-security | 26 | Container hardening, Kubernetes RBAC, pod security policies |
|
||||
| network-security | 33 | Firewall rules, segmentation errors, default credentials |
|
||||
| endpoint-security | 16 | OS hardening, unnecessary services, default configurations |
|
||||
|
||||
**Example skills:** Auditing AWS S3 bucket permissions, hardening Kubernetes clusters, configuring security headers, CIS benchmark compliance.
|
||||
|
||||
### A06:2025 -- Vulnerable and Outdated Components
|
||||
|
||||
Using components with known vulnerabilities or that are no longer maintained.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| vulnerability-management | 24 | CVE tracking, vulnerability scanning, patch management |
|
||||
| devsecops | 16 | SCA scanning, dependency management, SBOM generation |
|
||||
| container-security | 26 | Image scanning, base image updates, registry security |
|
||||
| web-application-security | 41 | Third-party library vulnerabilities, framework updates |
|
||||
|
||||
**Example skills:** Running Trivy container scans, implementing SCA in CI/CD, generating and analyzing SBOMs, CVE prioritization with CVSS/EPSS.
|
||||
|
||||
### A07:2025 -- Identification and Authentication Failures
|
||||
|
||||
Weaknesses in authentication and session management.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| identity-access-management | 33 | MFA implementation, password policies, session fixation |
|
||||
| web-application-security | 41 | Credential stuffing defense, brute force protection |
|
||||
| api-security | 28 | API key management, OAuth token handling, JWT validation |
|
||||
| phishing-defense | 16 | Credential phishing prevention, anti-phishing controls |
|
||||
|
||||
**Example skills:** Implementing FIDO2/WebAuthn, configuring adaptive MFA, securing API authentication, detecting credential stuffing attacks.
|
||||
|
||||
### A08:2025 -- Software and Data Integrity Failures
|
||||
|
||||
Failures related to code and infrastructure that do not protect against integrity violations.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| devsecops | 16 | CI/CD pipeline security, code signing, artifact integrity |
|
||||
| container-security | 26 | Image signing, admission control, supply chain verification |
|
||||
| cryptography | 13 | Digital signatures, integrity hashing, code signing certificates |
|
||||
| vulnerability-management | 24 | Supply chain risk, dependency integrity verification |
|
||||
|
||||
**Example skills:** Implementing Sigstore for container signing, securing CI/CD pipelines, verifying software supply chain integrity, content trust enforcement.
|
||||
|
||||
### A09:2025 -- Security Logging and Monitoring Failures
|
||||
|
||||
Insufficient logging, detection, monitoring, and active response.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| soc-operations | 33 | SIEM configuration, log aggregation, alert tuning |
|
||||
| threat-hunting | 35 | Log analysis, detection engineering, hypothesis-driven hunting |
|
||||
| incident-response | 24 | Incident detection, log-based investigation, response automation |
|
||||
| network-security | 33 | Network monitoring, flow analysis, IDS/IPS tuning |
|
||||
|
||||
**Example skills:** Analyzing security logs with Splunk, writing Sigma detection rules, configuring SIEM correlation rules, implementing centralized logging.
|
||||
|
||||
### A10:2025 -- Server-Side Request Forgery (SSRF)
|
||||
|
||||
Fetching a remote resource without validating the user-supplied URL.
|
||||
|
||||
| Relevant Subdomains | Skills | Key Topics |
|
||||
|---------------------|--------|------------|
|
||||
| web-application-security | 41 | SSRF exploitation, URL validation, allowlisting |
|
||||
| cloud-security | 48 | IMDS exploitation, cloud metadata access, VPC endpoint security |
|
||||
| api-security | 28 | API-to-API SSRF, webhook validation |
|
||||
| penetration-testing | 23 | SSRF detection and exploitation techniques |
|
||||
|
||||
**Example skills:** Testing for SSRF vulnerabilities, securing cloud metadata endpoints (IMDSv2), implementing URL validation and allowlisting, detecting SSRF in API integrations.
|
||||
|
||||
## Cross-Reference: OWASP to ATT&CK
|
||||
|
||||
| OWASP Category | Related ATT&CK Techniques |
|
||||
|---------------|--------------------------|
|
||||
| A01: Broken Access Control | T1078 (Valid Accounts), T1548 (Abuse Elevation Control) |
|
||||
| A02: Cryptographic Failures | T1557 (Adversary-in-the-Middle), T1040 (Network Sniffing) |
|
||||
| A03: Injection | T1190 (Exploit Public-Facing App), T1059 (Command and Scripting) |
|
||||
| A04: Insecure Design | T1195 (Supply Chain Compromise), cross-cutting |
|
||||
| A05: Security Misconfiguration | T1574 (Hijack Execution Flow), T1190 |
|
||||
| A06: Vulnerable Components | T1190 (Exploit Public-Facing App), T1195 |
|
||||
| A07: Authentication Failures | T1110 (Brute Force), T1539 (Steal Web Session Cookie) |
|
||||
| A08: Integrity Failures | T1195 (Supply Chain Compromise), T1554 (Compromise Client Software) |
|
||||
| A09: Logging Failures | T1070 (Indicator Removal), T1562 (Impair Defenses) |
|
||||
| A10: SSRF | T1190 (Exploit Public-Facing App) |
|
||||
|
||||
## Cross-Reference: OWASP to NIST CSF 2.0
|
||||
|
||||
| OWASP Category | NIST CSF Functions | CSF Categories |
|
||||
|---------------|-------------------|----------------|
|
||||
| A01: Broken Access Control | Protect | PR.AA |
|
||||
| A02: Cryptographic Failures | Protect | PR.DS |
|
||||
| A03: Injection | Protect, Detect | PR.DS, DE.AE |
|
||||
| A04: Insecure Design | Govern, Protect | GV.RM, PR.PS |
|
||||
| A05: Security Misconfiguration | Protect | PR.PS, PR.IR |
|
||||
| A06: Vulnerable Components | Identify, Govern | ID.RA, GV.SC |
|
||||
| A07: Authentication Failures | Protect | PR.AA |
|
||||
| A08: Integrity Failures | Protect, Govern | PR.DS, GV.SC |
|
||||
| A09: Logging Failures | Detect | DE.CM, DE.AE |
|
||||
| A10: SSRF | Protect, Detect | PR.DS, DE.AE |
|
||||
|
||||
## References
|
||||
|
||||
- [OWASP Top 10 Project](https://owasp.org/www-project-top-ten/)
|
||||
- [OWASP API Security Top 10](https://owasp.org/API-Security/) -- relevant for api-security subdomain
|
||||
- [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) -- relevant for mobile-security subdomain
|
||||
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
|
||||
- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) -- Application Security Verification Standard
|
||||
Reference in New Issue
Block a user