Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCAP v3 #41

Open
gravax opened this issue Sep 16, 2020 · 13 comments
Open

SCAP v3 #41

gravax opened this issue Sep 16, 2020 · 13 comments

Comments

@gravax
Copy link
Contributor

gravax commented Sep 16, 2020
edited
Loading

I just saw this:

SCAP is a framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

Should we consider aligning or even participating? Standards are good when they are as widely adopted as possible.

Gilles
@MarcinHoppe
Copy link
Contributor

I think there is overlap. This only highlights the need for us to nail the charter and objectives for this WG.

@JasonKeirstead
Copy link

Couple of notes

  • The current WIP for SCAP is SCAPv2, not V3 :)

  • The work is still very much in flight, widespread discussions happen daily (see the mailing lists).

  • The SCAPv2 reference implementation effort is just getting started. This work is going to be done as an open source project in the Open Cybersecurity Alliance.

Happy to build bridges here, anyone feel free to reach out.

I do strongly agree that downstream consumers need be part of the conversation. The folks working on SCAP are who end up operationalizing vulnerability management processes. A fix is only useful once it's been physically deployed to the end user (who is often not the software developer) & it doesn't do anyone any good until that end to end process is done.

@MarcinHoppe
Copy link
Contributor

@JasonKeirstead Thanks for the additional context! I think so far we've mostly heard from folks handling disclosure, but not a lot from folks who consume this information.

@SecurityCRob
Copy link
Contributor

We're big fans of SCAP/OpenSCAP. OpenSCAP consumes our OVAL data to give an accurate scan of a system for vulns versus many commercial scanners. If not directly part of the WG's efforts, I fee we should indeed travel that bridge Jason offered us to listen to what's going on with that group and see how the update can assist our efforts.

@JasonKeirstead
Copy link

@RedHatCRob Interestingly, we just had an OCA Webinar this week and this was one of the topics, which was pulled out into its own short overview video (< 10 mins)

https://www.youtube.com/watch?v=Q9SC1fpTKvQ

Feel free to get an overview of the project there. @MarcinHoppe happy to arrange someone to speak about this at the next meeting if we want it on the agenda.

@kerberosmansour
Copy link

kerberosmansour commented Oct 2, 2020
edited
Loading

Yeah there is overlap because SCAP is (predominantly) used to checking systems for insecure configuration (but because it uses OVAL under the hood it can pick up standard vulnerabilities). My understanding is that they are also looking at SACM which is being working on by an IETF working group to be the successor of SCAP.

Spec Description
XCCDF Checklist Language: The human readable description of a control
OVAL/OCIL Checklist Instructions: The automated (OVAL) and manual (OCIL) instructions to check the technical control
CCE/CPE/CVE Enumerations
CVSS Risk Measurement

It's good to see OASIS (via Open Cybersecurity Alliance) getting involved and software is being written for it.
My personal experience with with SCAP is that it needs better "Getting Started" documentation as it has a (very) steep learning curve and it could feel in times like death by specification, which is why on it's own without OSS tooling it can be a challenge to adopt. For the users of SCAP they need better training/documentation to write SCAP files that work in their orgs.

Finally - as a lesson learned of you expect a user to learn yet another DSL, err on the side of ease of use. E.g. how OSQuery used standard SQL which limits the learning curve.

@kerberosmansour
Copy link

kerberosmansour commented Oct 2, 2020
edited
Loading

Side note... OSQuery is an LF project, I would LOVE if it can take SCAP files or map running software to CVEs out of the box.

@david-a-wheeler
Copy link
Contributor

Just a quick heads-up, there are at least 2 unrelated SACMs in the security space:

  • the IETF Security Automation and Continuous Monitoring (SACM), noted above
  • the Object Management Group (OMG) Structured Assurance Case Metamodel (SACM), a common data format for assurance cases

I swear this is not my fault :-).

@kerberosmansour
Copy link

Hahaha! Are you sure about that @david-a-wheeler ?
Yeah there is bound to be some collisions in acronyms! Since you are here - how do we have a chat with the OSQuery project and ask if it makes sense if they have a home under OSSF?

@david-a-wheeler
Copy link
Contributor

@kerberosmansour - I don't know the osquery folks (to my knowledge), sorry!

@JasonKeirstead
Copy link

This thread seems to be getting a little activity/topic heavy.

RE OS Query - OS Query has a wide mandate that goes beyond cyber. I view it as an enabling technology. A project that leveraged OS Query to run an SCAPv2 evaluation would be very cool, but IMHO that would not be part of OS Query itself.

Leveraging OS Query for the SCAPv2 reference implementation might be an idea worth pursuing with that project...

@kerberosmansour
Copy link

kerberosmansour commented Oct 2, 2020 via email

@dodys
Copy link
Contributor

dodys commented Feb 26, 2024

Anyone feel free to correct me here, but I believe at this point SCAP v2 has been discarded by NIST, who has been focusing on OSCAL instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@MarcinHoppe @david-a-wheeler @dodys @JasonKeirstead @gravax @kerberosmansour @SecurityCRob