Home
CSA STAR API Specification

CSA STAR API Specification

Revision 6
Last updated: August 2024

1. Introduction

The STAR Registry is a publicly available repository on Cloud Security Alliance’s website, which contains assurance information voluntarily submitted by hundreds of cloud providers.

The STAR Registry can be found at: https://cloudsecurityalliance.org/star/registry. Currently, each entry in the registry describes whether a service provider has:

  • Submitted a self-assessment along with a link to the content of that self-assessment,
  • Received a STAR Certification,
  • Received a STAR Attestation,
  • Received a C-STAR Certification,
  • Maintains STAR Continuous Status.
  • Received EUCloud CoC Certification.

STAR Certification, C-STAR and STAR Attestation are all independent third party audit schemes, while the Self-assessment is based on a questionnaire called the CAIQ (Consensus 1 Assessments Initiative Questionnaire). The CAIQ is itself based on the CCM (Cloud Control Matrix), a GRC control framework specifically designed for the cloud, based on industry best practices. Self-assessments are provided through a standardized spreadsheet document as well as The Cloud Security Alliance (CSA) STAR Platform.

This document describes an API specification enabling machine-readable access to the data currently stored in unstructured format in the STAR Registry.

2. Apis

CSA has developed an API with 7 methods:

  1. A method to query the type of assessments that have been performed for a specific cloud service, as described in the STAR Registry. This information should be sufficient to automatically annotate a service provider with security information.
  2. A method to get a collection of pointers to all cloud services that exist in the STAR Registry. Each pointer references a resource defined in point 1.
  3. A method to get a collection of pointers to all organizations that exist in the STAR Registry. Each pointer references a resource defined in point 2.
  4. A method to query the structure and content of a particular version of the CAIQ as defined by CSA, including the description of all domains, controls and questions.
  5. A method to get a collection of pointers to all versions of the CAIQ, which are referenced in the STAR Registry. Each pointer references a resource defined in point 4.
  6. A method to query the responses provided by a specific provider in the context of a CAIQ self-assessment. Each response is either “yes”, “no” or “na” (not applicable) and is accompanied with an optional textual comment.
  7. A method to get a collection of pointers to all CAIQ questionnaire self-assessments.

Each pointer references a resource defined in point 6.

Methods (4) and (6) can be combined to reconstruct a full self-assessment that includes both CAIQ questions and their answers.

2.1.Conventions Used In The Api

The provided API is based on the REST paradigm and uses JSON. The HTTP content type of all responses will be set to application/json. Each API request URL description is formed with an HTTP method (here GET in all 3 cases) followed by a relative path to an API base URL. As such, if the API base URL is https://star.watch/ and if the specified relative path is /api/v1/registry/cloud_services/42, the full query would be sent to the URL https://star.watch/api/v1/registry/cloud_services/42. Parameters in request URLs will be denoted by a symbol preceded by the : colon character (e.g. :service_id), following a convention that is frequently used in the description of REST APIs.

The following additional conventions are used in the API description.

  • Data types
    In addition to traditional JSON data types, we refer to the following types derived from a JSON string:
    • url: a string representing a URL (as defined in [RFC 1738]).
    • UTC_timestamp: UTC timestamp as defined in ISO 8601, including the year, month, day, hour, minute and second, and ending with the ‘Z’ marker representing UTC time (e.g. 2016-09-29T13:11:43Z).
  • Creation and update
    Each JSON response to a query contains a creation date created_at and a modification data updated_at, unless the query applies to a collection of resources.
  • The “self” property
    Each JSON response to a query contains a property called self, which is a full URL that points back to the queried resource, essentially repeating the requested API query URL with all parameters defined (including the base URL).
  • Array descriptors
    When an array appears in a schema description, we only represent an example of the first element in the array, followed by an ellipsis (“…”). This means that the element may appear 0 or more times.

The properties of JSON objects described in this specification are listed in a non-binding order (e.g. the specification, may list the self property before the id, but an implementation may use the opposite order in a JSON resource.)

2.2.Cloud Service Assurance Profile

This GET method provides a way to query the assurance level associated with a cloud service, as stored in the CSA STAR registry. The id of the service is specified in the query URL, and the response provides a list of all known assessments from the CSA STAR Registry for that particular service.

Each item in the registry_entries[] array offers several types of optional URLs where further information can be found:

  • url points to a machine-readable assessment as described for example in 2.6. The presence of this field indicates that the cloud service provider provided CSA with a correctly formatted assessment. When this field is absent, it indicates that no-machine readable assessment is available.
  • asset_url provides data in non-machine readable format, typically as a ZIP file containing an XLS file or a PDF file, along with a cryptographic proof or receipt issued by CSA. Data in this file may be supplemented with additional data in the supporting_assets property.
  • external_url provides pointer to an assessment that is not hosted by CSA. This case is rare and is maintained for legacy purposes.
  • specification_url is a URI that specifies the standard or best practice used in the assessment (e.g. CAIQ version 4.0.3).

Request Url

GET /api/v1/registry/cloud_services/:service_id

Parameters:

  • service_id: a numerical string uniquely identifying the service for which information is requested.

Response Body

{
    "self": <url>,
    "created_at": <UTC_timestamp>,
    "updated_at": <UTC_timestamp>,
    "id": <number>,
    "name": <string>,
    "description": <string>,
    "organization_id”: <number>,
    "registry_entries": [
        {
            "id": <number>,
            "type": <string>,
            "specification_name": <string>,
            "specification_url": <url>,
            "asset_url": <url> (optional),
            "external_url": <url> (optional)
            "supporting_assets": [
                {
                    "url": <url>,
                    "description": <string>
                },
                ...
            ] (optional),
            "url": <url> (optional)
        },
        ...
    ]
}
Property Description
self See 2.1.
created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
updated_at See 2.1.
id Same value as the :service_id parameter in the request URL.
name Name of the service (e.g. “Azure”)
description Description of the service as provided by the service provider.
organization_id Unique identifier of the organization for the cloud service.
registry_entries[]
registry_entries[].id Unique identifier of the registry entry.
registry_entries[].type Type of assessment as displayed in the STAR Registry
registry_entries[].specification_name Name of the reference standard/specification
registry_entries[].specification_url URL identifying the reference standard. Two distinct versions will use a different URL.
registry_entries[].asset_url URL to non-machine readable version of the assessment, if exists (XLS, ZIP, or PDF file).
registry_entries[].external_url (optional) URL pointing to an externally hosted assessment or webpage describing the assessment.
registry_entries[].supporting_assets[] (optional)
registry_entries[].supporting_assets[].url URL to a file containing additional evidence supporting the entry.
registry_entries[].supporting_assets[].description Description of the supporting asset.
registry_entries[].url (optional) URL pointing to a location where a machinereadable version of the assessment can be found.

Error codes

  • 404: The service was not found in the registry.

2.3.Cloud Service Assurance Profile Collection

This GET method provides a way to get a collection of pointers to all cloud services referenced in the CSA STAR Registry.

Request URL

GET /api/v1/registry/cloud_services

Parameters:

none.

Response body

{
    "self": <url>,
    "cloud_services": [
        {
            "id": <string>,
            "name": <string>,
            "url": <url>,
            "created_at": <UTC_timestamp>,
            "updated_at": <UTC_timestamp>
        },
        ...
    ]
}
Property Description
self See 2.1.
cloud_services[]
cloud_services[].id Unique numerical identifier of a cloud service in the STAR Registry.
cloud_services[].name Name of the service (e.g. “Azure”).
cloud_services[].url URL to cloud service description as specified in section 2.2.
cloud_services[].created_at See 2.1.

Error codes

none.

2.4.Organization Profile

This GET method provides a way to query information with regard to an Organization, as stored in the CSA STAR Registry. The id of the organization is specified in the query URL, and the response provides a list of all known cloud services from the CSA STAR Registry for that particular organization.

Request URL

GET /api/v1/registry/organizations/:organization_id

Parameters:

  • organization_id: a numerical string uniquely identifying the organization for which information is requested.

Response body

{
    "id": <number>,
    "name": <string>,
    "self": <url>,
    "description": <string>,
    "website”: <string>,
    "created_at": <UTC_timestamp>,
    "updated_at": <UTC_timestamp>,
    "cloud_services": [
        {
            "id": <number>,
            "name": <string>,
            "url": <url>,
            "created_at": <UTC_timestamp>,
            "updated_at": <UTC_timestamp>
        },
        ...
    ]
}
Property Description
self See 2.1.
created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
updated_at See 2.1.
id Same value as the :organization_id parameter in the request URL.
name Name of the organization (e.g. “Microsoft”)
description Description of the organization as provided by the organization.
website URL for the organization website as provided by the organization.
cloud_services[]
cloud_services[].id Unique identifier of the cloud service.
cloud_services[].name Name of the cloud service.
cloud_services[].url Unique URL to cloud service description as specified in section 2.2.
cloud_services[].created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
cloud_services[].updated_at See 2.1.

Error codes

  • 404: The service was not found in the registry.

2.5.Organization Profile Collection

This GET method provides a way to get a collection of pointers to all organizations referenced in the CSA STAR Registry.

Request URL

GET /api/v1/registry/organizations

Parameters:

none.

Response body

{
    "self": <url>,
    "organizations": [
        {
            "id": <string>,
            "name": <string>,
            "url": <url>,
            "created_at": <UTC_timestamp>,
            "updated_at": <UTC_timestamp>
        },
        ...
    ]
}
Property Description
self See 2.1.
organizations[]
organizations[].id Unique identifier of organization in the STAR Registry.
organizations[].name Name of organization (e.g. “Azure”).
organizations[].url Unique URL to organization description as specified in section 2.4.
organizations[].created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
organizations[].updated_at See 2.1.

Error codes

none.

2.6.Caiq Template

This GET method provides a way to retrieve a template describing the structure of a CAIQ based self-assessment, as used in the CSA STAR Platform. By definition, all CAIQ assessments conducted with the same version of the CAIQ use the same template, with the same questions. By combining this generic template with the answers provided for a specific service (see 2.8.), it is possible to create a full description of a CAIQ assessment, combing both questions and answers.

Request Url

GET /api/v1/registry/caiq_templates/:template_id

Parameters:

  • template_id: a numerical string uniquely identifying the CAIQ reference questionnaire requested.

Response Body

{
    "self": <url>,
    "created_at": <UTC_timestamp>,
    "updated_at": <UTC_timestamp>,
    "id": <string>
    "template_version": <string>,
    "specification_name": <string>,
    "specification_url": <string>,
    "domains": [
        {
            "domain_id": <string>,
            "title": <string>,
            "controls": [
                {
                    "control_id": <string>,
                    "title": <string>,
                    "description": <string>,
                    "questions": [
                        {
                            "question_id": <string>,
                            "description": <string>,
                        },
                        ...
                    ]
                },
                ...
            ]
        },
        ...
    ]
}
Property Description
self See 2.1.
created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
updated_at See 2.1.
id Same value as the :template_id parameter in the request URL.
template_version Version of the template used (e.g. “1.0”).
specification_name Name of reference standard described in the template. (e.g. “Consensus Assessment Questionnaire v4.0.3”)
specification_url Unique URL identifying the reference standard in the template.
domains[]
domains[].domain_id Domain identifier as defined in CAIQ/ CCM (e.g. “AIS”).
domains[].title Domain description (e.g. “Application & Interface Security”)
domains[].controls[]
domains[].controls[].control_id CCM Control group identifier as defined in CAIQ/CCM (e.g. “AIS-01”).
domains[].controls[].title CCM Control group title (e.g. “Application security”).
domains[].controls[].description CCM Control Group Description (e.g. “Applications and programming interfaces (APIs) shall […]”).
domains[].controls[].questions[]
domains[].controls[].questions[].question_id The CAIQ Question identifier (e.g. “AIS-01.1”).
domains[].controls[].questions[].description CAIQ Question (e.g. “Do you use industry standards […] ”).

Error codes

  • 404: The requested CAIQ does not exist.

2.7.Caiq Template Collection

This GET method provides a way to get a collection of pointers to all CAIQ versions referenced in the CSA STAR registry.

Request URL

GET /api/v1/registry/caiq_templates

Parameters:

none.

Response body

{
    "self": <url>,
    "caiq_templates": [
        {
            "id": <string>,
            "name": <string>,
            "url": <url>,
            "created_at": <UTC_timestamp>,
            "updated_at": <UTC_timestamp>
        },
        ...
    ]
}
Property Description
self See 2.1.
caiq_templates[] List of CAIQ questionnaire templates.
caiq_templates [].id Unique numerical identifier of CAIQ questionnaire template in the STAR Registry.
caiq_templates[].name Name of the CAIQ template (e.g. “CAIQ 4.0.3”).
caiq_templates[].url A unique URL pointing to a CAIQ template description as specified in section 2.4.
caiq_templates[].created_at See 2.1. (e.g. “2016-09-27T14:07:18Z”)
caiq_templates[].updated_at See 2.1.

Error codes

none.

2.8.CAIQ assessment

This GET method enables to retrieve the answers provided by service provider to the CAIQ questionnaire, in the context of a self-assessment.

Request URL

GET /api/v1/registry/caiq_assessments/:assessment_id

Parameters:

  • assessment_id: : a numerical string uniquely identifying a CAIQ assessment.

Response Body

{
    "self": <url>,
    "created_at": <UTC_timestamp>,
    "updated_at": <UTC_timestamp>,
    "id": <string>,
    "template_url": <url>,
    "service_name": <string>,
    "description": <string>,
    "responses": [
        {
            "question_id": <string>,
            "answer": <"yes", "no", or "na">,
            "comment": <string>
        },
        ...
    ]
}
Property Description
self See 2.1
created_at See 2.1 (e.g. “2016-09-27T14:07:18Z”
updated_at See 2.1
id Same value as the :assessment_id parameter in the request URL.
template_url URL to machine-readable questionnaire or control framework used in the assessment.
name Name/title of the assessment (usually the service (or organization) being assessed).
description Description of the assessment itself.
responses[]
responses[].question_id CAIQ Question identifier (e.g. “AIS-01.1”)
responses[].answer Answer provided to CAIQ question (either “Yes”, “No” or “Not Applicable”).
responses[].comment Comment provided by the auditor or service provider in relation with the answer.

Error codes

  • 404: The requested service assessment does not exist.

2.9.Caiq Assessment Collection

This GET method provides a way to get a collection of pointers to all CAIQ answers referenced in the CSA STAR registry.

Request URL

GET /api/v1/registry/caiq_assessments

Parameters:

none.

Response body

{
    "self": <url>,
    "caiq_assessments": [
        {
            "id": <string>,
            "name": <string>,
            "url": <url>
        },
        ...
    ]
}
Property Description
self See 2.1.
caiq_assessments[] List of CAIQ questionnaire responses.
caiq_assessments[].id Unique identifier of a CAIQ assessment in the STAR Registry.
caiq_assessments[].name Name of the assessment (this is typically the name of the service).
caiq_assessments[].url A unique URL pointing to a CAIQ assessment description as specified in section 2.8.

Error codes

none.

4. Security

To access the registry APIs at https://star.watch/api/v1/registry, clients will be required to provide an API key, in order to verify that they have the right to access the APIs. This API key shall be provided with the following HTTP header in every request:

Authorization: Bearer <API_KEY>

API_KEY is a random, secret value provided by CSA. Each client accessing the API requires its own distinct key.

If a client makes a request without specifying an API key, or with an unknown API key, the server will respond with HTTP error code 401 (Unauthorized) and provide the following HTTP header in the response: WWW-Authenticate: Bearer realm="https://star.watch/api/v1/registry".

An API key can be requested by sending an email to: [email protected].

Once generated, the API key will appear in the STAR Platform user account of the person who requested the key. To access the key, simply log into STAR Platform and click on “account” in the top right of the screen.

Creating a STAR Platform account is free of charge.

Annex A: Examples

This annex provides examples of the API calls described in this document. Most examples have been truncated for the sake of brevity.

https://star.watch/api/v1/registry/cloud_services/25

{
    "id": 25,
    "name": "Avature",
    "self": "https://star.watch/api/v1/registry/cloud_services/25",
    "description": "Avature is an HCM software company which employs more than 450 employees around the world and operates in six countries (USA, UK, Spain, China, Australia and Argentina). At the moment, Avature has more than 650 customers worldwide, including 101 of the Fortune 500, 23 of FTSE 100, the Big Four accounting firms, 8 of the top 10 banks in the US. Our vision is to support strategic HR initiatives by introducing a consumer web quality platform that can be customized quickly and easily by our customers - allowing them to design and implement innovative programs to compete for and retain talented people. We currently provide the broadest range of recruiting solutions available from a single vendor. Avature is widely credited for introducing CRM concepts to recruiting processes and is currently the global leader in this category of recruiting solution.  In the last years we’ve expanded our suite to include ATS, On-boarding, Employee Referral, Agency Management, Hiring Manager, Events Management, In-Store Recruiting, Internal Mobility solutions.”,
    "organization_id”: 3,
    "created_at": "2017-10-27T18:55:42.348Z",
    "updated_at": "2017-10-27T18:55:42.348Z",
    "registry_entries": [
        {
            "id": 359,
            "type": "SelfAssessment",
            "specification_name": "Consensus Assessments Initiative Questionnaire v3.0.1",
            "specification_url": "https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/",
            "asset_url": "https://star.watch/en/registry/359/download_self_assessment",
            "url": "https://star.watch/api/v1/registry/caiq_assessments/359"
        }
    ]
}

https://star.watch/api/v1/registry/cloud_services

{
    "self": "https://star.watch/api/v1/registry/cloud_services",
    "cloud_services": [
        {
            "id": 1,
            "name": "InSite",
            "url": "https://star.watch/api/v1/registry/cloud_services/1",
            "created_at": "2017-10-27T18:55:02.707Z",
            "updated_at": "2017-10-27T18:55:02.707Z"
        },
        {
            "id": 24,
            "name": "Auth0",
            "url": "https://star.watch/api/v1/registry/cloud_services/24",
            "created_at": "2017-10-27T18:55:41.559Z",
            "updated_at": "2017-10-27T18:55:41.559Z"
        },
        {
            "id": 25,
            "name": "Avature",
            "url": "https://star.watch/api/v1/registry/cloud_services/25",
            "created_at": "2017-10-27T18:55:42.348Z",
            "updated_at": "2017-10-27T18:55:42.348Z"
        },
    ]
}

https://star.watch/api/v1/registry/organizations/3

{
    id: 3,
    name: "AC3",
    self: "https://star.watch/api/v1/registry/organizations/3",
    description: "<p>AC3 is an ICT Managed Service Provider (MSP) specialising in delivering solutions to both the public and private sectors. We combine the best technology with the best people to deliver innovative IT solutions. We have been designing, building and managing IT solutions since 1999.</p> <p>We believe that the true benefit of IT is utilising it to unlock greater efficiency, so our customers can focus on what’s important to them; their business. Our key goal is to be a true technology partner and solve once unsolvable problems. We deliver solutions across a number of areas, including managed services and cloud hosting in our secure data centres, professional services, procurement services and talent management.</p> <p>Our vision is to be Australia’s most dynamic technology partner and our team actively work on achieving this through our essential behaviours of being nimble, smart and straightforward.</p> ",
    website: "http://www.ac3.com.au",
    created_at: "2017-06-30T19:08:33.000Z",
    updated_at: "2019-08-15T22:39:53.049Z",
    cloud_services: [

        {
            id: 2,
            name: "AC3",
            url: "https://star.watch/api/v1/registry/cloud_services/2",
            created_at: "2019-08-15T22:39:25.531Z",
            updated_at: "2019-08-15T22:39:25.531Z"
        }
    ]
}

https://star.watch/api/v1/registry/organizations

{
    "self": "https://star.watch/api/v1/registry/organizations",
    "organizations": [
        {
            id: 2,
            name: "411 Labs, Inc",
            url: "https://star.watch/api/v1/registry/organizations/2",
            created_at: "2017-09-13T16:51:49.000Z",
            updated_at: "2019-08-15T22:39:53.044Z"
        },
        {
            id: 3,
            name: "AC3",
            url: "https://star.watch/api/v1/registry/organizations/3",
            created_at: "2017-06-30T19:08:33.000Z",
            updated_at: "2019-08-15T22:39:53.049Z"
        },
        {
            id: 4,
            name: "Accenture Plc",
            url: "https://star.watch/api/v1/registry/organizations/4",
            created_at: "2017-07-06T23:08:29.000Z",
            updated_at: "2019-08-15T22:39:53.053Z"
        },
        {
            id: 5,
            name: "Acer CyberCenter Services Inc.",
            url: "https://star.watch/api/v1/registry/organizations/5",
            created_at: "2013-11-20T21:48:28.000Z",
            updated_at: "2019-08-15T22:39:53.056Z"
        },
        {
            id: 6,
            name: "Achievers Corporation",
            url: "https://star.watch/api/v1/registry/organizations/6",
            created_at: "2014-04-16T23:56:26.000Z",
            updated_at: "2019-08-15T22:39:53.060Z"
        }
    ]
}

https://star.watch/api/v1/registry/caiq_assessments/359

{
    "id": 359,
    "self": "https://star.watch/api/v1/registry/caiq_assessments/359",
    "name": "Avature",
    "description": "",
    "created_at": "2017-10-27T20:12:06.170Z",
    "updated_at": "2017-10-27T20:18:56.941Z",
    "template_url": "https://star.watch/api/v1/registry/caiq_templates/1",
    "responses": [
        {
            "question_id": "AIS-01.1",
            "answer": "Yes",
            "comment": "Avature's security policies and
                controls, as well as the Software
                Development Lifecycle, are in line with
                industry standards.  Avature follows ISO
                27001 and OWASP guidelines for secure
                development and testing."
        },
        {
          "question_id": "AIS-01.4",
          "answer": "Not Applicable",
          "comment": "Not applicable. Avature does not outsource software development."
        },
        {
            "question_id": "AIS-01.2",
            "answer": "Yes",
            "comment": "Testing process includes both automatic and manual testing."
        },
    ]
}

https://star.watch/api/v1/registry/caiq_assessments

{
    "self": "https://star.watch/api/v1/registry/caiq_assessments",
    "caiq_assessments": [
        {
            "id": 1,
            "name": "InSite",
            "url": "https://star.watch/api/v1/registry/caiq_assessments/1"
        },
        {
            "id": 2,
            "name": "AC3",
            "url": "https://star.watch/api/v1/registry/caiq_assessments/2"
        },
        {
            "id": 357,
            "name": "STARWatch",
            "url": "https://star.watch/api/v1/registry/caiq_assessments/357"
        }
    ]
}

https://star.watch/api/v1/registry/caiq_templates/1

{
    "id": 1,
    "self": "https://star.watch/api/v1/registry/caiq_templates/1",
    "created_at": "2017-10-27T18:54:59.024Z",
    "updated_at": "2017-10-27T18:55:01.947Z",
    "template_version": "3.0.1",
    "specification_name": "Consensus Assessments Initiative Questionnaire v3.0.1",
    "specification_url": "https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/",
    "domains": [
        {
            "domain_id": "AIS",
            "title": "Application and Interface Security",
            "controls": [
                {
                    "control_id": "AIS-01",
                    "title": "Application Security",
                    "description": "Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.",
                    "questions": [
                        {
                            "question_id": "AIS-01.1",
                            "description": "Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?"
                        },
                    ]
                }
            ]
        }
    ]
}

https://star.watch/api/v1/registry/caiq_templates

{
    "self": "https://star.watch/api/v1/registry/caiq_templates",
    "caiq_templates": [
        {
            "id": 6,
            "name": "Consensus Assessments Initiative Questionnaire v4.0.3",
            "url": "https://star.watch/api/v1/registry/caiq_templates/6",
            "created_at": "2023-09-27T14:04:59.090-07:00",
            "updated_at": "2023-09-27T14:04:59.090-07:00"
        },
        {
            "id": 5,
            "name": "Consensus Assessments Initiative Questionnaire v4.0.2",
            "url": "https://star.watch/api/v1/registry/caiq_templates/5",
            "created_at": "2021-08-13T14:47:18.176-07:00",
            "updated_at": "2021-08-13T14:47:18.176-07:00"
        },
        {
            "id": 4,
            "name": "Consensus Assessments Initiative Questionnaire v4.0.1",
            "url": "https://star.watch/api/v1/registry/caiq_templates/4",
            "created_at": "2021-08-13T14:47:07.138-07:00",
            "updated_at": "2021-08-13T14:47:07.138-07:00"
        }
    ]
}

1. Revision History

  • August 2024 (R6):
    • Documentation migrated to STAR Platform:
      https://star.watch/api-specification (this document).
    • Moved Revision History section to the end of the document.
    • Changed all references of section 3 to section 2 (prior references to 3.4 became 2.4 etc.)
    • TODO
  • August 2019 (R5):
    • Added method for retrieving data on the organizations within the registry.
    • Amended section 3.0 to add in the latest method.
    • Inserted the Organization profile and Organization profile collection as sections 3.4. and 3.5. Each section after this was pushed back by two to account for this change.
    • Changed all references to section 3 to match the new table of contents (old references to 3.4 became 3.6 etc.)
    • Amended examples for cloud services to account for organization_id and added additional examples for organizations.
  • April 2018 (R4):
    • Added token-based authentication in Section 4,
    • Amended section 3.2, adding the following fields: supporting_assets and external_url.
    • Added a clarification on the roles of the different types of URLs accessible.
  • October 2017 (R3): Naming adjustments to the API described in 3.6:
    • Added the missing id property in 3.6.
    • Renamed the list answers[] to responses[] in 3.6.
    • Renamed the property service_name to name in 3.6 to be consistent with 3.7.
    • Clarified the possible values of responses[].answer in 3.6.
  • September 2017 (R2): Changed to an id-centric approach and added collections. Naming adjustments on the APIs described in 3.2, 3.3 and 3.4. These changes notably include:
    • The number of API calls was changed from 3 to 6: for each type of resource we added a call to get a “collection” of resources.
    • All single resources now have an id property.
    • Short property names where replaced by more descriptive names (e.g. qid was replaced by question_id).
    • Added some properties to allow better transition from existing legacy entries in the CSA STAR Registry (e.g. registry_entries[].asset_url).
  • August 2017 (R1): Minor cleanup.
  • October 2016: Initial version.

References

  1. CSA Cloud Control Matrix.
    https://cloudsecurityalliance.org/research/cloud-controls-matrix/
  2. CSA Consensus Assessment Initiative Questionnaire.
    https://cloudsecurityalliance.org/artifacts/star-level-1-security-questionnaire-caiq-v4
  3. G. Klyne, C. Newman, RFC 3339: Date and Time on the Internet: Timestamps Internet Engineering Task Force (IETF), July 2002.
  4. T. Berners-Lee, R. Fielding, L. Masinter. RFC 3986: Uniform Resource Identifier (URI): Generic Syntax. The Internet Engineering Task Force, January 2005.
  5. ECMA-404, European Computer Manufacturers Association, The JSON Data Interchange Format, Edition 1, October 2013.

This website uses third-party profiling cookies. By using this website, you consent to the use of these cookies. Privacy Policy.

I understand
×

© 2009–2024 Cloud Security Alliance.
All rights reserved.

Corporate Membership
Cloud CustomersCloud Solution Providers
Join as an Individual
Circle Community ForumChaptersWorking Groups
Research
Download PublicationsView Working GroupsView All Topics
Find a...
Cloud ConsultantCloud Service ProviderTrusted Cloud Provider
Certificates
CCSKCCAKCCZT
Events
AmericasEMEAAPAC
Education
BlogVirtual Events & WebinarsTrainingCloud 101
Popular Resources
Security GuidanceCCMCAIQSTARGDPR
About CSA
Contact UsPress ReleasesAffiliatesPress CoverageQuality Policy
Our Team
Board of DirectorsManagement & StaffCareers
Legal
Privacy NoticeTerms & Conditions
Cloud Security Glossary