Overview
OSSASAI security testing combines automated verification with manual assessment to ensure comprehensive coverage of security controls.
Testing Methodology
┌─────────────────────────────────────────────────────────────────┐
│ OSSASAI Testing Methodology │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Automated │ │ Manual │ │ Continuous │ │
│ │ Testing │ │ Testing │ │ Monitoring │ │
│ ├──────────────┤ ├──────────────┤ ├──────────────┤ │
│ │ • Audit │ │ • Penetration│ │ • Runtime │ │
│ │ Script │ │ Testing │ │ Checks │ │
│ │ • Config │ │ • Code │ │ • Anomaly │ │
│ │ Validation │ │ Review │ │ Detection │ │
│ │ • SBOM │ │ • Threat │ │ • Log │ │
│ │ Scanning │ │ Modeling │ │ Analysis │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Testing Types
### Automated Audit
Script-based verification of control implementation
Manual adversarial testing against controls
Per-control verification steps
Testing by Assurance Level
| Testing Type | L1 | L2 | L3 |
|---|---|---|---|
| Automated audit | Required | Required | Required |
| Configuration review | Required | Required | Required |
| Dependency scanning | Optional | Required | Required |
| Penetration testing | Optional | Recommended | Required |
| Formal verification | N/A | N/A | Required |
| Third-party assessment | Optional | Recommended | Required |
Test Coverage Matrix
| Control Domain | Automated | Manual | Continuous |
|---|---|---|---|
| Control Plane (CP) | ● | ○ | ○ |
| Identity (ID) | ● | ● | ○ |
| Tool Blast Radius (TB) | ● | ● | ● |
| Local State (LS) | ● | ○ | ○ |
| Supply Chain (SC) | ● | ○ | ● |
| Formal Verification (FV) | ○ | ● | ● |
| Network Security (NS) | ● | ● | ● |
Legend: ● = Primary, ○ = Secondary
Quick Start
# Download audit tools
curl -sSL https://raw.githubusercontent.com/gensecaihq/ossasai/main/tools/ossasai-audit.sh -o ossasai-audit.sh
chmod +x ossasai-audit.sh
# Run baseline assessment
./ossasai-audit.sh --level L2
# Run specific control test
./ossasai-audit.sh --check TB-01
# Generate detailed report
./ossasai-audit.sh --level L2 --verbose --output-format json > report.json
Testing Schedule
| Activity | Frequency | Trigger |
|---|---|---|
| Automated audit | Continuous (CI/CD) | Every commit/PR |
| Configuration review | Weekly | Scheduled |
| Dependency scan | Daily | Scheduled |
| Penetration test | Quarterly | Scheduled |
| Full assessment | Annually | Scheduled |
| Incident-triggered | As needed | Security event |