Standards Tracking
The framework maps security standards and regulatory requirements to Bastion attack vectors. This lets a project answer "Are we OWASP Top 10 compliant?" with a concrete, vector-backed answer.
Directory Structure
| Subdirectory | Files | Purpose |
|---|---|---|
owasp/ | top-10-2025.yaml, api-security-2023.yaml, mapping.yaml | OWASP Top 10 + API Security mapped to Bastion vectors |
nist/ | 800-53-r5.yaml, 800-218.yaml, mapping.yaml | NIST controls relevant to DAML, mapped to vectors |
fips/ | 140-3.yaml, mapping.yaml | FIPS 140-3 crypto requirements |
canton/ | releases.yaml, advisories.yaml, upgrade-checklist.yaml | Canton release tracking + security advisories |
splice/ | releases.yaml, security-notes.yaml | Splice release tracking |
daml-sdk/ | releases.yaml, advisories.yaml, deprecations.yaml | DAML SDK tracking (e.g., daml to dpm deprecation) |
| root | sync-status.yaml | When each standard was last checked |
Standards to Vector Mapping
Each standards file maps controls to Bastion vectors:
# standards/owasp/mapping.yaml
mappings:
- control: "A01:2021 - Broken Access Control"
vectors:
- AV-001 # Self-Transfer
- AV-002 # Unauthorized Controller
- AV-004 # Missing Signatory
- AV-031 # Whitelist Bypass
- WEB-F-001 # Frontend party spoofing
semgrep_rules:
- daml-missing-controller
- daml-missing-signatory
coverage: 85%
gaps:
- "A01:2021-07 — CORS misconfiguration not yet tracked"
- control: "A03:2021 - Injection"
vectors:
- WEB-B-008 # Canton API proxy injection
- WEB-B-004 # Unbounded array inputs
coverage: 60%
gaps:
- "DAML Script injection via user-supplied script arguments"
How Standards Updates Flow
The standards-sync agent (see LAYERS.md) monitors these sources and proposes vector expansions or new vectors when standards change. Updates flow through the same four-layer pipeline as all other content.