Siemens Scapolite as a basis for a standard format

[joesain26]

Scapolite example: https://github.com/scapolite/example_iase_win_server_2016_v1r7

[joesain26]

Challenge: SCAP doesn’t define standard formats that truly allow a “security-as-code” approach. Currently, rules are maintained as a baseline in one huge XML file. There is a demand for machine-readable security baselines, yet most organizations consume SCAP content by one of three ways (IASE, CIS, OpenSCAP) rather than producing their own SCAP content. One probable reason for this is that authoring and maintaining content in “SCAP proper” is very difficult.

Proposals:

• Look into maintaining of each rule as a single file.
• Combine a YAML preamble and a Markdown body, which would allow authors to leverage the preview capabilities of modern editors, e.g., Visual Studio Code or Atom, and web sites such as GitHub or GitLab.
• Augment rules with machine-readable information either within the rule file (e.g., the machine-readable information on Windows GPO settings and their underlying implementation mechanisms) as well as outside the file.
• Add substructures with machine-readable automations of an implementation to an implementation or check.

Internal usage of Scapolite for all new IS Policies published within Siemens in the past 1.5 years shows that Scapolite is a format that supports the “security-as-code“ approach

[joesain26]

The Content Authoring and Tooling sub-group discussed this topic at the 12/13/19 telecon and decided that rather than using Scapolite as the basis for a standard, the approaches and lessons learned from the Scapolite experience would be used to develop the multi-layer content authoring tool. Members will brainstorm on how to develop mock-ups and code samples that take advantage of Scapolite concepts.