OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: STIX and TAXII Security Considerations


Hey all,

 

Thanks for everyone’s time on the working call today. We had a great brainstorming discussion and made a lot of progress on what we need to get done. We focused mostly on identifying the sorts of things we want to include in these security considerations sections…the idea being each topic has 1-2 sentences describing the consideration. Here’s what we came up with so far:

 

STIX

* Patterning

* Binary content (executables)

* Malicious content (URLs, emails, etc.) -- maybe lead with this and call out implementers need to be very aware of this. Security controls may also fire, causing loss of functionality.

* PII data - pull privacy text out of section 9 of IODEF (identity object, IP addresses, descriptions)

* Unicode

* Markings / Handling

* Custom Property / Custom Object -- not defined by specification, needs to be safely parsed (??? maybe this is covered by JSON)

* Hashing and encryption -- borrow standard text about choosing appropriate hashes/encryption mechanisms

* Trust across object graphs

* Graph explosions (??)

 

TAXII

* Reference to STIX and other content

* Authentication/Authorization

* Confidentiality and TLS

* HTTP Basic security considerations

* Unicode

* Errors - descriptive text leaking info

* Errors - return code for things you don't have access to (leak info about existence of something, implementation of something, vs. just not having access)

* Reference HTTP/HTTPS security considerations (maybe need to mention URL traversals in general TAXII security considerations but not for this IANA media type section)

 

What we need from you:

  • What are we missing?
  • Is there anything there that shouldn’t be there? We don’t want to go overboard.
  • Can you write any of the content for any of those topics? Again, we just need a very short explanation of the consideration – we’re not trying to solve the problem.

 

Thanks a bunch to John-Mark Gurney from New Context, who’s already contributed a bunch of text and expertise. Thanks also to Bret and Robin for working with IANA on this.

 

Our response is due to IANA by June 30, so the editors will work with JMG and others to get this text in place and submitted before then. Prior to submission of course we’ll send the completed versions to this list for review.

 

Thanks again,

John

 

STIX security considerations (working doc): https://docs.google.com/document/d/1ShNq4c3e1CkfANmD9O--mdZ5H0O_GLnjN28a_yrEaco/edit#heading=h.g21nxx9ar265

TAXII security considerations (working doc): https://docs.google.com/document/d/1EsiWY7TGqt9yH6QUXv4c-opXSr3wR0TDMt8Q0yJjpoo/edit#heading=h.h1stnx7npfus

IODEF Example: https://tools.ietf.org/html/rfc7970#section-9

ROLIE Example: https://tools.ietf.org/html/rfc8322#section-9



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]