[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring
The bonus point was for identifying the problem with this data: Do you see it?
Now, what if a Producer sends that to an automated system? If that system is not already doing input validation, you get KABOOM!
One lessen that the Bad Guys have taught us is that you always validate input. Since we are already validating it, we will always know what type of IP address it is--regardless of what the Producer has said. Therefore, we do not need to mark the type of IP Address.
The only thing we get by allowing a Producer-authored "type" value is this: We know when the Producer gave us bad data. But, who cares? My system is probably just going to throw that away. I have yet to see a good feedback loop in TAXII/STIX/CybOX for telling the Producer about data errors.
Or, perhaps, we could have the CybOX libraries validate the "type" value and raise an Exception when it's wrong. But, again, the libraries will have to determine the type of IP Address from the data format. So, I don't see any gain, but rather a lot of lost computing cycles.
JSA From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Barnum, Sean D. <sbarnum@mitre.org>
Sent: Thursday, October 29, 2015 10:01 AM To: Wunder, John A.; John Anderson Cc: Davidson II, Mark S; Trey Darley; Terry MacDonald; Jordan, Bret; Kirillov, Ivan A.; cti-cybox@lists.oasis-open.org Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring I agree.
While the format could be distinguished from the string without explicit labeling this puts the onus on the consumer to do that analysis on the data field. This seems like an unnecessary burden for use cases where the field may be used in processing, orchestration
or workflow routing decisions.
sean
From: <cti-cybox@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Thursday, October 29, 2015 at 9:58 AM To: John Anderson <janderson@soltra.com> Cc: Mark Davidson <mdavidson@mitre.org>, Trey Darley <trey@soltra.com>, Terry MacDonald <terry@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, Steve Cell <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring What’s the upside of not requiring the producer to specify the version? If it’s distinguishable by format, coudn’t the producer just do that and always provide the format?
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]