Rich,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ I believe that greater alignment of CTI STIX and SBOM taxonomy, semantics and data content standards would be beneficial to parties in the Energy industry that are performing software supply chain risk assessments to protect the Bulk Electric System from cyberattack. The ability to quickly and accurately identify vulnerabilities for a specific software product, as defined by itâs SBOM content, would greatly improve risk based decisions to install/not install a software object based on a trustworthiness score. Todayâs vulnerability search results contain far too many false positives resulting in a poor signal/noise ratio. These results could improve dramatically by aligning SBOM and STIX, data and content model standards.
Thanks,
Dick Brooks
Never trust software, always verify and report! â
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Rich Piazza
Sent: Monday, November 30, 2020 10:56 AM
To: cti@lists.oasis-open.org
Subject: [cti] STIX Best Practice Guide
DHS has asked MITRE to organize the writing of a best practice guide for STIX. We have some basic ideas, but were hoping for some input from the community. In many calls, emails and in Slack â members of the TC would often say something like â âthatâs a data quality issueâ, or âproducers should follow certain guidelines when creating this content (e.g., naming labels)â. Those are among the kind of things this document would capture.
DHS sees this document as a possible OASIS CTI TC note, so all content would be intellectual property of OASIS and the TC. As a google document, anyone on the TC can contribute.
Here is an outline MITRE put together. It is just a âstrawmanâ. The way to organize the document is open to discussion.
The subsections are possible topics for best practices that we thought of.
Any suggestions would be welcome 😊
Rich P.
--
Rich Piazza
Lead Cyber Security Engineer
The MITRE Corporation
781-271-3760
