Content rules

Table of Contents

SD Elements identifies relevant content for projects based on match conditions or rules. The inclusion of content such as Weaknesses, Countermeasures, How-tos, and Additional Requirements are governed by evaluating Boolean logic. The inputs to the Boolean logic are the Answers selected in a project Survey. Answers selected in a project Survey evaluate to True. Answers not selected evaluate to False. Content without rules are considered always applicable.

For example, consider a Weakness W having the following match conditions:

(A AND B) OR (C)

The values A, B, and C correspond to answers that may be selected in the project survey. According to the definition above, Weakness W is only relevant to projects when at least one of the following conditions is met:

  • (A AND B) evaluates to True

  • (C) evaluates to True

In terms of the project survey these conditions map to whether a user selects answers A and B and/or C. Any other combination of answers should not identify Weakness W as being relevant to a project.

Consider the Weakness Missing Password Encryption that affects projects In scope for PCI. It has a set of rules:

(Uses retail1 framework AND In scope for PCI) OR (Handles authentication AND Changes to authentication AND In scope for PCI)

In this example, the Weakness won’t be relevant to a project unless either of the two match conditions hold.

Advanced content rules

Please reach out to your Sales Support representative if you need more context or information about this topic.

Content rules decide when a Weakness or its content is applicable to a project. At times, there is a need for advanced rules for content, such as:

 NOT (Application is web services OR Application is web application) AND
(Application has internal and external users OR Application has
internal users only AND stores, process or transmits credit card data)

To model an advanced rule in SD Elements, convert it to Disjunctive Normal Form (DNF). This means that rules are formed by blocks of AND operators, which are joined by OR operators. You can use a DNF calculator such as the Wolfram Alpha boolean logic calculator to convert your rule to a format usable by SD Elements.

For example, if we substitute in short variables for the answers above, and use the following term in the calculator (note that "~" means NOT, "||" means OR, and "&&" means AND):

DNF ~(A || B) && (C || (D AND E))

Yields:

(~A && ~B && C) || (~A && ~B && D && E))

We can convert this to the following rule in SD Elements:

NOT (Application is web services) AND NOT (Application is web application) AND Application has internal and
external users
OR
NOT (Application is web services) AND NOT (Application is web application) AND Application has internal users
only AND stores, process or transmits credit card data

results matching ""

    No results matching ""