Feature Request
Description of Problem:
- We've now worked through the entire "thread" of CCC, from capabilities to CFI test results. We now need to operationalise this.
- We need to stay on top of new threats as they occur, and make sure that CCC responds to those.
- Ideally, CCC should be a "living document" of how to secure cloud services.
- At the moment, a lot of our controls are looking out-of-date and some are incomplete.
Potential Solutions:
We should write automatic GitHub actions and "Skills", which allow an LLM to follow best practices for creating Taxonomy, Threats and Controls (see diagram)
- Taxonomy: This is mainly a one-time thing, where we need to give the GitHub Action the type of service. It should create a PR proposing this.
- Threats: Possibly should run periodically, creates a PR that the Security WG can review. Once merged, the release process can happen automatically.
- Controls: Should run when new threats become mapped. Do we need new controls? If not, should we store somewhere the reasoning for why not?
Further Considerations
- We might write a file containing "rejected threats" or "rejected controls" so that the LLM doesn't keep regenerating the stuff we don't want.
- We might include in the action commands to download recent advisories / lists of new Att&ck/D3fend entries etc. And store these alongside the new yaml files.
- GitHub currently allows you to call LLMs as part of an action. e.g : https://models.github.ai/inference/chat/completions. So this shouldn't require new infrastructure being set up.
Feature Request
Description of Problem:
Potential Solutions:
We should write automatic GitHub actions and "Skills", which allow an LLM to follow best practices for creating Taxonomy, Threats and Controls (see diagram)
Further Considerations