Secruity Benchmarks vs Traditional Software
Security Benchmark Code VS Traditional Software Applications
When planning your team's approach, remember that a Security Benchmark is only considered 'complete and valid' when all requirements for that specific Release or Major Version are met. This differs from traditional software projects where features and capabilities can be incrementally added.
Security Benchmarks Are Release-Specific
A Security Benchmark and its corresponding InSpec Profile are only applicable within the context of a specific 'Release' of that Benchmark.
The choice between a micro
or massive
approach depends more on your team's work style preference.
Regardless of the approach, the final release of the Benchmark will be the same. The deciding factors for its readiness for release are the expected thresholds, hardening, and validation results.
'main' is out of scope
for a Benchmark
Benchmarks do not accommodate 'incremental requirements'. Therefore, your team should always work off a fork of the last release. If there is a 'main' or 'development' branch in your profile, it should be considered as a candidate for merging into the next patch or update release.