01/18/2024 Common Cloud Controls MITRE Meeting Agenda

[crawfordchanel]

01/18/2024 - (10)am ET / (3)pm UK

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• [x] Convene & roll call (5mins)

• [x] Display FINOS Antitrust Policy summary slide

• [x] Review Meeting Notices (see above)

• [x] Approve past meeting minutes

• [x] Zoom info Join Zoom Meeting https://zoom.us/j/93861901920 Meeting ID: 938 6190 1920 Passcode: 284383 Agenda

  75 - MITRE WG: Establish collaboration with OSCAL working group on schema

  77 - Formulate taxonomy for MITRE TTPs to be represented in a higher level testing language

  11 Contribution Request : OSCAL example that points to MITRE and describes tests using Gherkin

• [ ] AOB, Q&A & Adjourn (5mins)

Zoom info

Join Zoom Meeting https://zoom.us/j/93861901920 Meeting ID: 938 6190 1920 Passcode: 284383

Dial by your location • +1 719 359 4580 US • +1 253 205 0468 US • +1 253 215 8782 US (Tacoma) • +1 301 715 8592 US (Washington DC) • +1 305 224 1968 US • +1 309 205 3325 US • +1 312 626 6799 US (Chicago) • +1 346 248 7799 US (Houston) • +1 360 209 5623 US • +1 386 347 5053 US • +1 507 473 4847 US • +1 564 217 2000 US • +1 646 558 8656 US (New York) • +1 646 931 3860 US • +1 669 444 9171 US • +1 669 900 6833 US (San Jose) • +1 689 278 1000 US • 855 880 1246 US Toll-free • 877 369 0926 US Toll-free • +1 438 809 7799 Canada • +1 587 328 1099 Canada • +1 647 374 4685 Canada • +1 647 558 0588 Canada • +1 778 907 2071 Canada • +1 780 666 0144 Canada • +1 204 272 7920 Canada • 855 703 8985 Canada Toll-free

Meeting ID: 982 5461 7376

Find your local number: https://zoom.us/u/acPjHdY2IO

[crawfordchanel]

Chanel Crawford - Citi

[eddie-knight]

:wave: :shipit: Eddie Knight / Sonatype

[robmoffat]

Rob Moffat / FINOS ☁️

[maoo]

@maoo / FINOS

[rowan-baker]

Rowan Baker / ControlPlane

[jgoodwin72]

Jay Goodwin / Fidelity

[robmoffat]

Minutes

1. Attendance

CC explained that Jason Nelson wouldn't be able to attend and chair the meeting. Jay Goodwin from Fidelity introduced himself as a first-time attendee.

2. Items for Discussion

• 11

EK - has done some work on this. Talked about taxonomy - the features that a service must have and portability requirements for swapping between different CSP instances of the category.
EK - proof-of-concept of a MITRE control is missing, which means that they can't get on and create OSCAL for the control. EK - output from the Att&ck framework, in a consumable document. Once that is done, everyone else (downstream) can iterate. RM - This should be someone from this group who should pick up this work?
EK - Yes.

DS - Just to restate what is needed. The paper describes how an Att&ck framework control maps across a CSP service. It should have a rationale. I will attempt to work on this as a POC. RB - I'd be happy to contribute as well.

DS - I would skip the threat part - go from Mitre control to what the CSP should implement to mitigate it. We'll come at this from a GCP perspective.

EK - The control should go in the services/database/relational. This is where we'd want to see it. You might reference it from common-cloud-services.md file too.

Action: DS, EK and RB to schedule a meeting to take this forward.

• 75

CC - will discuss with Jason Nelson to take this forward.

• 77

RM - what does TTP stand for? TTP - Tactics, Techniques and Procedures. CC - Are there other options to Gherkin? DS - There are other options. The idea is to get the control into plain English. It's a translation layer. DS - Would it make sense to do a test script bundle? Or OPA Bundle? EK - That's where I'm starting. In CFI we have a plugin-based system, based on post-deploy. I'll show you what we have. EK - Propose that we add a dependency on #11 for this. We can ignore this for now.

• 13

Discussed lack of plan. RM - this is a steering committee issue, but we don't have another meeting scheduled.

Action: CC to work with Jim Adams secretary to schedule regular steering committee meetings.

AOB

EK, RB, DS shared email to coordinate a meeting