|
154 | 154 |
|
155 | 155 | <img src="/img/guides/owasp/chart.png" width="80%" border="1px" alt="OWASP Top 10 Chart showing Gold, Silver and Basic tier distribution" /> |
156 | 156 |
|
157 | | -In this section, you will learn how to build an [OWASP Top 10](http://owasp.org/Top10) security scorecard in Port using vulnerability data from Snyk. |
| 157 | +This section explains how to build an [OWASP Top 10](http://owasp.org/Top10) security scorecard in Port using vulnerability data from Snyk. |
158 | 158 | The scorecard resides on the `Repository` blueprint and evaluates data sourced from the `Snyk Target` and `Snyk Vulnerability` blueprints to measure each repository’s security posture against the latest OWASP Top 10 categories. |
159 | 159 |
|
160 | 160 | 1. `Snyk Vulnerability` – Represents individual vulnerabilities of various types. |
@@ -1031,21 +1031,21 @@ The final step is to create a scorecard that reflects the security maturity of a |
1031 | 1031 |
|
1032 | 1032 | <h3>Troubleshooting</h3> |
1033 | 1033 |
|
1034 | | -Some common reason for failure with Snyk integration and OWASP Top 10 scorecard realisation maybe as following: |
| 1034 | +Some common issues you may encounter during the implementation: |
1035 | 1035 |
|
1036 | 1036 | 1. **Invalid token:** The `SNYK_TOKEN` does not have privileges or otherwise has been revoked. Ensure that the token is valid and has required permissions so that issues and targets across the Snyk Group can be queried for. |
1037 | 1037 | 2. **OWASP Top 10 2021:** `CWE` field is key to accurately measuring and benchmarking against OWASP Top 10. The current measurement rules are based on the latest OWASP Top 10 i.e. OWASP Top 10 2021 as of this write-up. Discrepancy may arise if following this example without consideration for reviewing against latest OWASP Top 10 issues and the associated CWEs. |
1038 | 1038 | 3. **Missing property data:** This can happen when `CWE` property has been defined on the `Snyk Vulnerability` blueprint, however a sync has not yet occurred. |
1039 | 1039 |
|
1040 | 1040 | <h3>Next steps</h3> |
1041 | 1041 |
|
1042 | | -The following steps are recommended as next steps. |
| 1042 | +Consider the following as next steps: |
1043 | 1043 |
|
1044 | 1044 | 1. **Quality standards:** |
1045 | | - - Eliminate chaos and promote `minimum viable security product` with tiering. |
1046 | | - - Establish a customised standard that best meets your organisation's culture by classifying the OWASP Top 10. |
| 1045 | + - Eliminate chaos and promote `minimum viable security product` with tiering. |
| 1046 | + - Establish a customized standard that best meets your organization's culture by classifying the OWASP Top 10. |
1047 | 1047 | 2. **Self-service actions:** |
1048 | | - - Automatically assign Owners and create a self-service action that triggers an alert to repository owners when tier standards are unmet. |
| 1048 | + - Automatically assign Owners and create a self-service action that triggers an alert to repository owners when tier standards are unmet. |
1049 | 1049 | 3. **Portal Initiative:** |
1050 | | - - Self-service action: Create a self-service action to improve OWASP Tiers for specific repositories. |
1051 | | - - Create an initiative within Port to reduce a specific security weaknesss or promote a specific tier as a standard operating procedure. |
| 1050 | + - Self-service action: Create a self-service action to improve OWASP Tiers for specific repositories. |
| 1051 | + - Create an initiative within Port to reduce a specific security weakness or promote a specific tier as a standard operating procedure. |
0 commit comments