|I am saying that Intelworks to this point has open sourced a really good TAXII client and TAXII server and they already use JSON. I have open sourced a start for a TAXII server in JSON and have started working on libraries for JSON based STIX.|
While I can not comment on what Intelworks will do in the future, I can say that their product is one of the solutions that I personally find amazing. It is really neat and will be a game changer for the CTI world and they do JSON based STIX.
The point is, if we do JSON, it will a lot easier for us to recruit people to help write APIs, tools, clients, apps, web interfaces, etc.. Format impacts adoption, plain and simple.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. You are saying that IntelWorks would be willing to build out a complete set of libraries that would allow for an abstraction away from the underlying data structure (for vendors implementing products) while giving each vendor the ability to work with STIX using a variety of agreed upon formats and languages?
We can get a lot of the community to help build libraries, if we move to JSON. I know I would be wiling to help, Intelworks would probably help, Bit9 is willing to help, and I know about 20 other vendors that have commented to me privately that are willing to help..
We are just not going to get them to build libraries for things they are not going to use, and most vendors do not use XML and their developers hate it.
Another problem you have with standard libraries that Jason kind of alludes to. Depending on the license of the library, a vendor may not be able to use it. If it is say GPLv3, then they will say no. If it is BSD / MIT, then yes. So as this work moves forward, if the base libraries are not in a licensing friendly format, then vendors will have to write their own and if they are having to write libraries for STIX XML, then they will just give up and they they will just do Facebook's ThreatExchange format and call it good.
I have never heard anyone say that they would stop using STIX if we got rid of XML. So lets just get rid of XML and move to JSON and be done with this 12 month old discussion.
Director of Security Architecture and Standards | Office of the CTO PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." Very fair point Jason – Do we have anyone like Mitre contracted who can maintain a set of libraries? That could be a heavy lift. If we have that, I would suggest we work with them to build out the full functionality we need, not just skeleton libraries like we have now. If we don’t have that, I would go back to the thought that our scope should be limited to a conceptual model only. We have to make a choice here, and it has big implications. / If we abstract out the complexity what we have to ‘learn’ is a set of API calls. This is how modern software is built – Not on data formats but on API formats. /
This sounds good in principle, but in order for this to work in practice the OASIS CTI would have to be responsible not just for the STIX standard, but also reference bindings and documentation for STIX in several mainstream languages, I would say Python, Java, and C++ at a minimum. This would be a very large body of work to undertake and maintain... even the current reference Python bindings by MITRE are pretty bare-bones (they don't "make anything simple", it's really just a data binding - not really what is required for a widely used reference library) and I don't think the Java ones were ever completed. If you don't have an easy to use library set for everyone to use, then the format of the data is very important.
I will give an example to the list from my own experience. I had to add some STIX support to a system in Python that was running Python 2.6, which I do not have any control over, and did not ship with a C++ compiler. As a result, the MITRE reference libraries have a dependancy chain that ends up with something needing C++ linking to libraries to build - so I could not use them at all. I ended up having to write my own STIX parser in Python from the XML... which was quite eye-opening as to how convoluted STIX can be to work with, and I had all of Python to help me. I can't even imagine the job of someone writing a STIX XML parser in C++ based on the 1.1 specification alone./ I honestly hate them all, even the XML format. /
Well I know few data formats I have any particular "love" for :) My main beef with the XML format has nothing to do with how it looks, it has to do with markup verboseness and efficiency on the wire.
Product Architect, Security Intelligence, IBM Security Systemswww.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
<image001.gif>"Bush, Jonathan" ---2015/08/28 09:06:30 PM---Bret - I think my point still remains - Why should I have to learn ANY specific implementation formaFrom: "Bush, Jonathan" <firstname.lastname@example.org>To: "'Jordan, Bret'" <email@example.com>, Aharon Chernin <firstname.lastname@example.org>Cc: Mark Clancy <email@example.com>, "firstname.lastname@example.org" <email@example.com>Date: 2015/08/28 09:06 PMSubject: RE: [cti] Thoughts on STIX and some of the other threads on this listSent by: <firstname.lastname@example.org>
Bret – I think my point still remains – Why should I have to learn ANY specific implementation format? I honestly hate them all, even the XML format.
If we abstract out the complexity what we have to ‘learn’ is a set of API calls. This is how modern software is built – Not on data formats but on API formats.
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Jordan, Bret
Sent: Friday, August 28, 2015 7:38 PM
To: Aharon Chernin
Cc: Mark Clancy; email@example.com
Subject: Re: [cti] Thoughts on STIX and some of the other threads on this list
Consumers use tools, hopefully they never see the format. Vendors, web developers, app developers, and open source developers write the tools. They are the ones that have to pay the XML tax.
Given the progress that Facebook is making I can begin to see a need for vendors even Soltra Edge to start supporting their threat exchange format.
My question still stands.. Will anyone not use STIX if we stopped doing XML? Follow on, how many more vendors and developers will we gain if we adopted JSON?
Let's just use Intelworks' JSON STIX format and be done with it.
Sent from my Commodore 64
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.