OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-imple message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: HTTPS REST API use case

Bret, et al,
Wrt to use cases for an HTTPS REST API use cases - I thought we had done
that already. 
I submitted a google doc to the IC-SC on Aug 2, 2017. Subsequently I
started using git hub and I would point to
 as an example use case for HTTPS REST API. In that particular use case
openc2 is used over an https rest api's to two different firewalls.
Sidenote: it's good sending this email caused me to reread that use case
because I caught a typo :-).

Wrt requirements I would propose an incremental agile approach over a
waterfall approach.

Note that in 01.another_user.md that one of the firewalls is a CSA SDP
enabled firewall. My intent is to add code to the proposed
openc2-lycan-beam open source repository to put an https rest api openc2
interface to the code Mike Stair wrote and was just accepted by the
fwknop project in pull request 260
(https://github.com/mrash/fwknop/pull/260) to be able to accomplish that
part of the use case. I also plan to add openc2 to the existing pfsense
https rest api
(https://github.com/ndejong/pfsense_fauxapi/blob/master/README.md) but
that is more challenging and further down the pike. 

Since you (Bret) work at Symantec, I thought I'd point out Symantec
Endpoint Protection Manager as a potential use case the group may want
to consider as well. I note the Phantom usecases do not include the
Symantec Endpoint Protection Manager by name in the use case they have
been focusing on but they do include it the 'all_actions_in_phantom' use
case (ie it's one of the hundreds we haven't gotten to yet - but it
shows it is of interest to their customers). Symantec has good
documentation for this REST API at
and I would think would be a candidate for OpenC2. Even if we don't use
it as an use case, it is good as a reference for requirements we should
consider. In the Language SC the debate has been over how to do
versioning (among other things). The Symantec interface is a good
example of how the version is in the URL of each command (not in the
JSON) - search GET or POST in the document and you will see url's like
"GET /api/v1/policy-objects/fingerprints" which has v1 in the URL. I
personally recommend a similar
approach (ie version in the url) be specified in the Openc2 https rest

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize

-------- Original Message --------
Subject: [openc2-imple] Re: [EXT] Re: [openc2-imple] HTTPS REST API
From: Bret Jordan <Bret_Jordan@symantec.com>
Date: Sat, March 17, 2018 5:10 am
To: Danny Martinez <danny.martinez@g2-inc.com>
Cc: Duncan Sparrell <duncan@sfractal.com>,
"openc2-imple@lists.oasis-open.org" <openc2-imple@lists.oasis-open.org>

 Before we rush into picking a solution, we really need to spend the
time up front identifying the use cases and requirements.  
 Sent from my Commodore 128D 
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

 On Mar 16, 2018, at 9:10 PM, Danny Martinez <danny.martinez@g2-inc.com>
I think that this would be a great use case to explore. I recently had a
conversation with Dave Lemire about this. 

Of particular interest are devices that are inaccessible by an
orchestrator, like devices that may be using NAT or behind a firewall
with no port fowarding. The "Polling" mode of initiation where an
actuator reaches out to an orchestrator in order to see if any actions
need to be carried out. 

This is not to omit the cases when the orchestrator does have access to
an actuator. This has merit as well.

However, HTTPS and REST API are known to work well in scenarios where
they are being queried at high volume and therefore I think that a
"polling" scenario would benefit from this type of transport mechanism,
specially if exposed to the internet such as IOT devices.



 On Fri, Mar 16, 2018 at 4:18 PM, <duncan@sfractal.com> wrote:
   I personally think (and I believe IC-SC had previously agreed) that
one of the transport mechanisms be a HTTPS REST API. I recommend the
IC-SC begin to draft such a specification and I would agree to be a
co-editor of that spec if desired. 
I recommend the HTTPS REST API be specified using another existing
standard - OpenAPI (https://www.openapis.org/). I believe we should use
OpenAPI V2 since V3 is still being worked (but switch to V3 once it is
available). OpenAPI specifications can written in JSON or YAML - I
recommend we use JSON since it would be weird (but I guess allowed) to
write a YAML spec on how to send JSON. Note code generation for OpenAPI
specified API's exist in over 40 languages, and OpenAPI is used in many
API specifications (Google's probably being the most well known - I am
at a conference at the moment, literally sitting in talk by Google on
their use of OpenAPI, which prompted me to sent these emails).

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize

--------------------------------------------------------------------- To
unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at: 

   Danny Martinez
 Cybersecurity Engineer
 G2, Inc.
 302 Sentinel Drive, Suite 300
 Annapolis Junction, MD 20701
 Mobile: 407-257-0031

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]