Get your project into OpenCRE today
25 views
Skip to first unread message
Spyros G
Oct 9, 2023, 6:52:12 AM10/9/23
to Leaders
Hey everyone,
With this, it may be time for you and your project to get something out of this.
We, the team from OpenCRE, have great news for you!
We implemented an easy way for your project to:- make your content part of the generative AI in OpenCRE-chat, so people will get answers from your work and get referred to your work
- link your users to a whole range of relevant resources connected to OpenCRE
- make your project findable for people being linked from other standards through OpenCRE
You might have seen the news about the OpenCRE.org security chatbot.
It extends OpenCRE as a gateway to the information contained in (OWASP) standards by simply letting people ask questions about security, in their own language.
They get more reliable answers, and links to the relevant standards. This way we are democratizing security.
OpenCRE-Chat is growing rapidly in popularity both within OWASP and outside (20k page views per day), while the list of adopted resources in OpenCRE also grows. Recently we added both SAMM and the CCM from Cloud Security Alliance.
While the OpenCRE team is working on several new and exciting features, I wanted to note that there is still a significant amount of OWASP information missing from the OpenCRE graph.
This is a shame as not only we deprive the community of some of the best documentation out there, but also your users are missing out on a view of how your project fits into a security programme and links to other resources.
To link your project to OpenCRE you can do one of 3 things:- If your project is documentation e.g. Cheatsheets you can put self-contained links in the relevant parts of your repository. We will parse the links and update our databases. Your users can use the link to find more information on the common requirement that you link to with the cre-id. Self contained link format:
[OpenCRE](https://opencre.org/cre/<cre-id>?name=<your project name>§ion=<the optional section-name or rule-name or challenge-name>§ionId=<the optional section-id or rule-id or challenge-id>&link=<url for where you want us to point to, if its empty we'll add a link to the github page we found this link>)
For example the Secure Headers Project has added:
"See for more information on HTTP security headers: [OpenCRE](https://opencre.org/cre/636-347?name=OWASP+Secure+Headers+Project§ion=configuration&link=https%3A%2F%2Fowasp.org%2Fwww-project-secure-headers%2F%23div-bestpractices)"
We regularly parse the Secure headers project source and based on the above, automatically add a link to the Secure headers page from the ‘636-347, HTTP Security headers’ section at OpenCRE. That way readers of Secure headers can find more info, and people referred by other resources to ’HTTP Security headers’ can find the Secure headers project.
In this example, there is only one link from the project to CRE, but SAMM has a link to the corresponding CRE common requirement with every SAMM stream.
In this example, there is only one link from the project to CRE, but SAMM has a link to the corresponding CRE common requirement with every SAMM stream.
- If your project is an application, you can do one of two things:
- Stick a self-contained link to your github Readme. This will add a single OpenCRE entry pointing to your project as a whole (same as wrongsecrets have)
- If you need more flexibility e.g. if you have individual challenges or individual rules you want to link to individual CREs, you can add self-contained links to OpenCRE in a markdown table somewhere in your repository.
- If your project is anything else(not documentation and not a tool/application), we are more than happy to work with you in creating parsers
The last thing you need to do is open a ticket on our github https://github.com/OWASP/OpenCRE/issues asking us to parse your project with a link to the source where the links to us exist (repo).
If your project would generate a significant amount of links (e.g. Juiceshop has a lot of challenges) and it is therefore significant work for you to add them, don't fret!
We are happy to work with you to find a way to generate those links!
e.g.
- For Juiceshop we parsed their challenges JSON and used some quick AI to find decent linked OpenCRE entries, they then automated the updating of their challenges table with our OpenCRE links.
- For ZAP we used the fact they already link to CWE which we have in our database.
- For Cornucopia we used AI to create those links and then they updated their cards json based on the info we gave them to point to us. Now we can permanently parse this json easily.
To preserve our information accuracy, we would prefer to start with Flagship and Production projects, however we are happy to make exceptions for Incubator and Lab projects that have a strong track record and community (e.g. Top 10 for LLM and AI come to mind among others)
Best,Spyros & Rob, OpenCRE leads
Reply all
Reply to author
Forward
0 new messages