oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
150 stars 40 forks source link

Product Tree Enhancement #2

Closed athiasjerome closed 7 years ago

athiasjerome commented 7 years ago

I would like to suggest that we try to enhance the Product Tree schema/model. The intent is to support more automation for (examples of use cases): 1) Automated generation of OVAL content 2) Automated generation of mitigations for COAs (e.g. OpenC2 context)

For 1), e.g. with the Microsoft API (ref. https://blogs.technet.microsoft.com/msrc/2016/11/08/furthering-our-commitment-to-security-updates/ ), it would be needed information like filenames, file versions and/or hashes (or other 'objects' "artifacts"/""observables"" like registry keys) to completely automate the generation of OVAL Definitions Note that for nix systems packages could be already somehow covered as products

BUT software packages, like .jar files still seem not covered, leading to issues like https://opensource.googleblog.com/2017/03/operation-rosehub.html

For 2) e.g. for web vulnerabilities, information like URLs/webpage names, and parameters/functions would be needed in order to, i.e., automate the generation of WAF signatures (or more generally IDS/IPS signatures) We need to resolve Wordpress/Struts "funny" stories...

The best approach, imho, to define and include these information in the schema/model, would be to reuse the (OASIS CTI STIX) CybOX objects (observables) models, so that more interoperability and automation into related playbooks will be obtained e.g. => new CVRF ==> new STIX/IODEF package ===> new OVAL Definition, trigger for SACM (assets/endpoints/nodes affected identified from the inventory) ===> new COA for OpenC2, mitigation with IDS/IPS/WAF signatures, apt-get update like commands, or monitoring SIEM rules, etc.

sthagen commented 7 years ago

Issue impacts standards track work, thus moved to https://issues.oasis-open.org/browse/CSAF-26 and closed here. Further work on the enhancement proposed will be tracked on TC JIRA. Thanks.