MarcinHoppe
commented
3 years ago I think there is overlap. This only highlights the need for us to nail the charter and objectives for this WG.
Open gravax opened 3 years ago
MarcinHoppe
commented
3 years ago I think there is overlap. This only highlights the need for us to nail the charter and objectives for this WG.
JasonKeirstead
commented
3 years ago Couple of notes
The current WIP for SCAP is SCAPv2, not V3 :)
The work is still very much in flight, widespread discussions happen daily (see the mailing lists).
The SCAPv2 reference implementation effort is just getting started. This work is going to be done as an open source project in the Open Cybersecurity Alliance.
Happy to build bridges here, anyone feel free to reach out.
I do strongly agree that downstream consumers need be part of the conversation. The folks working on SCAP are who end up operationalizing vulnerability management processes. A fix is only useful once it's been physically deployed to the end user (who is often not the software developer) & it doesn't do anyone any good until that end to end process is done.
MarcinHoppe
commented
3 years ago @JasonKeirstead Thanks for the additional context! I think so far we've mostly heard from folks handling disclosure, but not a lot from folks who consume this information.
SecurityCRob
commented
3 years ago We're big fans of SCAP/OpenSCAP. OpenSCAP consumes our OVAL data to give an accurate scan of a system for vulns versus many commercial scanners. If not directly part of the WG's efforts, I fee we should indeed travel that bridge Jason offered us to listen to what's going on with that group and see how the update can assist our efforts.
JasonKeirstead
commented
3 years ago @RedHatCRob Interestingly, we just had an OCA Webinar this week and this was one of the topics, which was pulled out into its own short overview video (< 10 mins)
https://www.youtube.com/watch?v=Q9SC1fpTKvQ
Feel free to get an overview of the project there. @MarcinHoppe happy to arrange someone to speak about this at the next meeting if we want it on the agenda.
kerberosmansour
commented
3 years ago Yeah there is overlap because SCAP is (predominantly) used to checking systems for insecure configuration (but because it uses OVAL under the hood it can pick up standard vulnerabilities). My understanding is that they are also looking at SACM which is being working on by an IETF working group to be the successor of SCAP.
| Spec | Description |
|---|---|
| XCCDF | Checklist Language: The human readable description of a control |
| OVAL/OCIL | Checklist Instructions: The automated (OVAL) and manual (OCIL) instructions to check the technical control |
| CCE/CPE/CVE | Enumerations |
| CVSS | Risk Measurement |
It's good to see OASIS (via Open Cybersecurity Alliance) getting involved and software is being written for it. My personal experience with with SCAP is that it needs better "Getting Started" documentation as it has a (very) steep learning curve and it could feel in times like death by specification, which is why on it's own without OSS tooling it can be a challenge to adopt. For the users of SCAP they need better training/documentation to write SCAP files that work in their orgs.
Finally - as a lesson learned of you expect a user to learn yet another DSL, err on the side of ease of use. E.g. how OSQuery used standard SQL which limits the learning curve.
kerberosmansour
commented
3 years ago Side note... OSQuery is an LF project, I would LOVE if it can take SCAP files or map running software to CVEs out of the box.
david-a-wheeler
commented
3 years ago Just a quick heads-up, there are at least 2 unrelated SACMs in the security space:
I swear this is not my fault :-).
kerberosmansour
commented
3 years ago Hahaha! Are you sure about that @david-a-wheeler ? Yeah there is bound to be some collisions in acronyms! Since you are here - how do we have a chat with the OSQuery project and ask if it makes sense if they have a home under OSSF?
david-a-wheeler
commented
3 years ago @kerberosmansour - I don't know the osquery folks (to my knowledge), sorry!
JasonKeirstead
commented
3 years ago This thread seems to be getting a little activity/topic heavy.
RE OS Query - OS Query has a wide mandate that goes beyond cyber. I view it as an enabling technology. A project that leveraged OS Query to run an SCAPv2 evaluation would be very cool, but IMHO that would not be part of OS Query itself.
Leveraging OS Query for the SCAPv2 reference implementation might be an idea worth pursuing with that project...
kerberosmansour
commented
3 years ago There is that and mapping running software on an end point to PURLs/CPEs and then mapping those back to CVEs (i.e. vulnerabilities) -Sherif
On Fri, Oct 2, 2020 at 7:31 PM Jason Keirstead notifications@github.com wrote:
This thread seems to be getting a little activity/topic heavy.
RE OS Query - OS Query has a wide mandate that goes beyond cyber. I view it as an enabling technology. A project that leveraged OS Query to run an SCAPv2 evaluation would be very cool, but IMHO that would not be part of OS Query itself.
Leveraging OS Query for the SCAPv2 reference implementation might be an idea worth pursuing with that project...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ossf/wg-vulnerability-disclosures/issues/41#issuecomment-702891703, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGPVQUVAQPGYGPPPRD2RMDSIYL7JANCNFSM4ROMUYVA .
dodys
commented
4 months ago Anyone feel free to correct me here, but I believe at this point SCAP v2 has been discarded by NIST, who has been focusing on OSCAL instead
I just saw this:
SCAP is a framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
Should we consider aligning or even participating? Standards are good when they are as widely adopted as possible.
Gilles