RE: EXT :[openc2] SBOM AP examples

["Lemire, Dave (HII-Mission Technologies)" <david.lemire@hii-tsd.com>]

I’ve added this topic to today’s working meeting agenda.

 

The video Duncan linked is 40 minutes. The video summary is:

 

The DIE Triad (Distributed, Immutable, Ephemeral) serves as an alternative to the CIA Triad (Confidentiality, Integrity, Availability) that reduces our security burden, enables us to achieve true resiliency, and move towards antifragility. Learn how to tackle our tough challenges in security, resiliency, and privacy by applying the DIE principles with commonly available tools and design patterns.

 

Here’s a Google search if you want to learn more:  https://www.google.com/search?q=DIE+Distributed+Immutable+Ephemeral&rlz=1C1GCEB_enUS1078US1079&oq=DIE+Distributed+Immutable+Ephemeral&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBCDUzMzVqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

 

Dave

__________________

David Lemire
(301) 575-5190 (o)    (240) 938-9350 (m)
HII.com

 

 

From: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org> On Behalf Of duncan sfractal.com
Sent: Monday, November 6, 2023 10:29 AM
To: TC OpenC2 (openc2@lists.oasis-open.org) <openc2@lists.oasis-open.org>
Subject: EXT :[openc2] SBOM AP examples

 

CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.

 

Apologies but I will miss this week’s OpenC2 meeting as I’ll be at a security conference in Texas. But I have a topic I would have brought up and maybe can be handled via email or discussed in my absence at the meeting.

 

I am updating my twinkly/blinky code for the upcoming Nov 30 prep plugfest preparing for the March Cybersecurity Automation Village. My code from June plugest is clearly dated with a very old version of the SBOM AP. I am in the process of updating my code to the version in the examples in SBOM AP (https://github.com/oasis-tcs/openc2-ap-sbom/blob/working/ap-sbom-v1.0.md#appendix-e-command-examples [github.com]) but I noticed they are different than the examples in JADN software test directory (https://github.com/oasis-open/openc2-jadn-software/blob/master/Test/device-simple-sbom/Good-command/q1-query-sbom-list.json [github.com]).

 

A major difference is whether you query the list with a specific target (currently in working branch of AP):

{

  "action": "query",

  "target": "sbom_list"

}

 

Vs query the list with the sbom target but leave it blank ie empty list of what sboms you want means don’t give any sboms but instead give me a list of “all” the SBOMs (currently in JADN test):

{

  "action": "query",

  "target": {

    "sbom": {

      "sbom": {}

    }

  }

}

 

My preference is sbom_list as target as in the AP. My logic is I’m a fan of DIE (https://www.youtube.com/watch?v=_omGtDfaAjI [youtube.com]) and prefer immutable (the I in DIE) and program in functional programming languages (which enforce immutability) which I believe to be more secure by design. Functional programming languages use recursion and recursing thru lists is probably the most common programming task. Empty lists means you are done recursing, not ‘all of something different’. Yes it’s easy enough to add in the extra code to do this but it is breaking a design paradigm. Also as a human, I don’t like “nothing of one thing” means “everything of another thing”.

 

But I’m open to arguments on why to do it the JADN way.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info [vsre.info]/