Thanks guys, very helpful discussion.
Cheers,
Eyal.
From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com]
Sent: Wednesday, March 15, 2017 8:25 PM
To: Stuart Maclean
Cc: Back, Greg; Eyal Paz; cti@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] Re: Announcing python-stix2
I am not going to go down the "JSON vs XML" rabbit hole again as this was all decided 2 years ago, but I think it is definitely a stretch to say "there will be no Java-language
STIX 2 manipulation tools".
Myself, I actually do foresee fewer "bindings" made for STIX 2.0, simply because part of the benefit of the new STIX model using JSON, is you actually do not really need "bindings" to work with
it in the majority of languages - it is just simple and easy for developers to program against without worrying about them - they're normally not needed. You can work with STIX in Java using GSON, JSONOrg, Jackson, without having any bindings at all....there
are also libraries that will auto-generate bindings for you from the JSON schema, if you still want that.
Because it is RESTful, you could actually likely implement a full-blown TAXII server without writing any code, simply JAX-RS using with STIX schema-generated Pojos...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security|
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From: Stuart Maclean <stuart@apl.washington.edu>
To: "Back, Greg" <gback@mitre.org>, Eyal Paz <eyalp@checkpoint.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date: 03/15/2017 01:48 PM
Subject: Re: [cti-users] Re: Announcing python-stix2
Sent by: <cti-users@lists.oasis-open.org>
On 03/15/2017 09:22 AM, Back, Greg wrote:
Hi Eyal,
MITRE isn’t working on anything, and I’m not personally aware of anyone else who is either. But if someone is, hopefully they’re on one of these lists and will respond.
Greg
Greg, all,
I have followed the STIX development over the past couple of years, and even developed a Java library for STIX manipulation, see
https://github.com/uw-dims/stix-java. That was when STIX 1.1 was current.
I watched with some dismay as the XML schema way of doing things in STIX 1.1 was dismantled in favor of JSON for STIX 2. While XML schemas are complicated, they are very precise, and a document can be checked against a schema to assert its validity. Further,
the richness of tools for XML schemas, notably the JAXB/xjc tools for Java, gives developers a huge leg-up in implementing an API for STIX manipulation. I just cranked the JAXB handle over the .xsd file set, and hey presto I had a set of Java classes with
which to start my API.
Going out on a limb here, I also think that Java developers LIKE more discipline that Python developers. Static typing vs duck typing? The XML schema way of representing information is disciplined, and leads to fewer 'You meant X? I thought you meant Y' gotchas
at runtime. Extrapolating, I think the JSON way of data representation is less disciplined than the XML way, hence the natural inclination of Python developers to prefer JSON.
Looking at the STIX 2 specs, I admire effort the authors must have put in. But from a library builder's point of view, there being no machine-ingestable docs (ie the xsd files in STIX 1.1), I am back to square one (if I have missed any machine-readable docs,
I apologize).
So, in a nutshell, my own feeling is that there will be no Java-language STIX 2 manipulation tools, a sad fact, and I sincerely hope I am wrong in this respect. I do know that I won't add to my STIX 1.1 Java effort.
Stuart