[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] Re: [EXT] [cti] STIX 2.1 Extension Examples
Iâm not very engaged in the development of STIX/TAXII, however I am an interested party and have a vested interest in seeing greater alignment of SBOM standards with Vulnerability reporting standards and entities.
I want to raise your attention to an award winning paper from the ACM CPSIoTSec 2020 workshop held on 11/9/2020 that identifies some of the difficult challenges facing companies with regard to risk management and vulnerability reporting services. My software, SAG-PM, provides the energy industry with a software supply chain risk assessment control, and this paper highlights several of the issues that Iâve encountered with vulnerability reporting for software objects during risk assessments. I believe the âimpedance mismatchesâ, identified in the paper, between software objects and CVE databases/standards can be resolved, if the right people work together, especially software vendors, to address these issues as part of an SBOM standard, i.e. NTIA SBOM.
Here is a link to my summary of the paper I mention; https://energycentral.com/c/ec/one-more-reason-why-industry-needs-synchronize-sbom-standards-and-cve-reporting Â
I believe the complete paper is accessible from the ACM Digital Library.
My apologies, if coordination is already underway between SBOM and CVE initiatives, but Iâm not aware of any such efforts. This paper identifies just how important coordination between CVE/SBOM initiatives is to helping parties manage software risk. I would be happy to participate in any coordination efforts in this regard.
Tel: +1 978-696-1788
MITRE is considering setting up a repository for common objects for DHS. We are just at the planning stages, but that might be a good place for the execution-definition objects to âliveâ. We could have more information there about the extension, or individuals could just follow the URL in the schema property.
I like that idea.
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Fri, Nov 13, 2020 at 4:33 PM Paul Patrick <firstname.lastname@example.org> wrote: