You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification (SSVC) system, we've made a number of significant changes:
New Web Site
This release debuts the certcc.github.io/SSVC web site to serve as the front-door for all things SSVC.
Diátaxis Framework - We adopted the Diátaxis Framework as a document organization framework for SSVC documentation. High level content categories are: tutorials, how-to, topics, and reference. What used to be a linear paper format is now sectioned off into more digestible pieces.
More call-outs and examples - With our adoption of Material for MkDocs as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site.
New and Revised Content
Expanded Content - We've included more examples of Decision Points and the like directly inline where they're mentioned so readers don't need to keep flipping back and forth to their definitions for reference.
Bootstrapping advice - Added a Getting Started with SSVC process to help organizations go from being potential SSVC users to being actual SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community.
Putting the Pieces Together - Added a Putting the Pieces Together page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like.
Acuity Ramp - Added an Acuity Ramp explainer to show how an organization can grow into a decision model over time.
Community Engagement - Included in the new web site are a number of suggested ways for the community to interact with and contribute to the SSVC project on Github.
Versioned Objects
Semantic Versioning for Decision Points and Decision Point Groups - Introduced Semantic Versioning (SemVer) for Decision Points and Decision Point Groups to improve communication around decision points and decision models
Calendar Versioning for SSVC as a whole - With the introduction of SemVer for Decision Points and Decision Point Groups, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer.
Experimental & Emerging Features
There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code.
SSVC Python module - This release introduces the ssvc python module to allow us to more easily work with Decision Points, Decision Point Groups, Outcomes, and Policies that map from Decision Points to Outcomes. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation.
Policy Generator - We're prototyping a Python tool that can generate a starting policy given any combination of a Decision Point Group and Outcomes. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out.
More Decision Points and Outcomes - In the process of exercising our Semantic Versioning rules for decision points and groups, we needed some examples of versioning events for discussion purposes. As a result, the ssvc.decision_points.cvss and ssvc.dp_groups.cvss modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from CISA's customized SSVC implementation.
Other project infrastructure improvements
Shifted from PDF-oriented to web-oriented workflow
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification (SSVC) system, we've made a number of significant changes:
New Web Site
This release debuts the certcc.github.io/SSVC web site to serve as the front-door for all things SSVC.
New and Revised Content
Versioned Objects
Experimental & Emerging Features
There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code.
ssvc
python module to allow us to more easily work with Decision Points, Decision Point Groups, Outcomes, and Policies that map from Decision Points to Outcomes. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation.ssvc.decision_points.cvss
andssvc.dp_groups.cvss
modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from CISA's customized SSVC implementation.Other project infrastructure improvements
What's Changed
howto/index.md
by @ahouseholder in Revisehowto/index.md
#469link_checker.yml
run automatically on push tomain
by @ahouseholder in Makelink_checker.yml
run automatically on push tomain
#471Learning SSVC
by @ahouseholder in Add Calculator blurb toLearning SSVC
#515New Contributors
Full Changelog: v2023.9...v2024.3
This discussion was created from the release SSVC v2024.3.
Beta Was this translation helpful? Give feedback.
All reactions