wg-vulnerability-disclosures
wg-vulnerability-disclosures copied to clipboard
ossf
SCAP v3
I just saw this:
SCAP is a framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
Should we consider aligning or even participating? Standards are good when they are as widely adopted as possible.
Gilles
I think there is overlap. This only highlights the need for us to nail the charter and objectives for this WG.
Couple of notes
-
The current WIP for SCAP is SCAPv2, not V3 :)
-
The work is still very much in flight, widespread discussions happen daily (see the mailing lists).
-
The SCAPv2 reference implementation effort is just getting started. This work is going to be done as an open source project in the Open Cybersecurity Alliance.
Happy to build bridges here, anyone feel free to reach out.
I do strongly agree that downstream consumers need be part of the conversation. The folks working on SCAP are who end up operationalizing vulnerability management processes. A fix is only useful once it's been physically deployed to the end user (who is often not the software developer) & it doesn't do anyone any good until that end to end process is done.
@JasonKeirstead Thanks for the additional context! I think so far we've mostly heard from folks handling disclosure, but not a lot from folks who consume this information.
We're big fans of SCAP/OpenSCAP. OpenSCAP consumes our OVAL data to give an accurate scan of a system for vulns versus many commercial scanners. If not directly part of the WG's efforts, I fee we should indeed travel that bridge Jason offered us to listen to what's going on with that group and see how the update can assist our efforts.
@RedHatCRob Interestingly, we just had an OCA Webinar this week and this was one of the topics, which was pulled out into its own short overview video (< 10 mins)
https://www.youtube.com/watch?v=Q9SC1fpTKvQ
Feel free to get an overview of the project there. @MarcinHoppe happy to arrange someone to speak about this at the next meeting if we want it on the agenda.
Yeah there is overlap because SCAP is (predominantly) used to checking systems for insecure configuration (but because it uses OVAL under the hood it can pick up standard vulnerabilities). My understanding is that they are also looking at SACM which is being working on by an IETF working group to be the successor of SCAP.
| Spec | Description |
|---|---|
| XCCDF | Checklist Language: The human readable description of a control |
| OVAL/OCIL | Checklist Instructions: The automated (OVAL) and manual (OCIL) instructions to check the technical control |
| CCE/CPE/CVE | Enumerations |
| CVSS | Risk Measurement |
It's good to see OASIS (via Open Cybersecurity Alliance) getting involved and software is being written for it. My personal experience with with SCAP is that it needs better "Getting Started" documentation as it has a (very) steep learning curve and it could feel in times like death by specification, which is why on it's own without OSS tooling it can be a challenge to adopt. For the users of SCAP they need better training/documentation to write SCAP files that work in their orgs.
Finally - as a lesson learned of you expect a user to learn yet another DSL, err on the side of ease of use. E.g. how OSQuery used standard SQL which limits the learning curve.
Side note... OSQuery is an LF project, I would LOVE if it can take SCAP files or map running software to CVEs out of the box.
Just a quick heads-up, there are at least 2 unrelated SACMs in the security space:
- the IETF Security Automation and Continuous Monitoring (SACM), noted above
- the Object Management Group (OMG) Structured Assurance Case Metamodel (SACM), a common data format for assurance cases
I swear this is not my fault :-).
Hahaha! Are you sure about that @david-a-wheeler ? Yeah there is bound to be some collisions in acronyms! Since you are here - how do we have a chat with the OSQuery project and ask if it makes sense if they have a home under OSSF?
@kerberosmansour - I don't know the osquery folks (to my knowledge), sorry!
This thread seems to be getting a little activity/topic heavy.
RE OS Query - OS Query has a wide mandate that goes beyond cyber. I view it as an enabling technology. A project that leveraged OS Query to run an SCAPv2 evaluation would be very cool, but IMHO that would not be part of OS Query itself.
Leveraging OS Query for the SCAPv2 reference implementation might be an idea worth pursuing with that project...
There is that and mapping running software on an end point to PURLs/CPEs and then mapping those back to CVEs (i.e. vulnerabilities) -Sherif
On Fri, Oct 2, 2020 at 7:31 PM Jason Keirstead [email protected] wrote:
This thread seems to be getting a little activity/topic heavy.
RE OS Query - OS Query has a wide mandate that goes beyond cyber. I view it as an enabling technology. A project that leveraged OS Query to run an SCAPv2 evaluation would be very cool, but IMHO that would not be part of OS Query itself.
Leveraging OS Query for the SCAPv2 reference implementation might be an idea worth pursuing with that project...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ossf/wg-vulnerability-disclosures/issues/41#issuecomment-702891703, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGPVQUVAQPGYGPPPRD2RMDSIYL7JANCNFSM4ROMUYVA .
Anyone feel free to correct me here, but I believe at this point SCAP v2 has been discarded by NIST, who has been focusing on OSCAL instead
