OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-lang message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SBoM Re: Meeting Monday of the Language Committee

One issue I would like to address is the command response JSON for the query SBoM needed as part of the comply to connect use case. I call it an SBoM (see ntia.gov/sbom), DoD use case calls it software inventory. There are several (at least 3) quasi standard formats for the reply. The DoD usecase only specs one (SWID) but I would like to see SPDX and CycloneDx as well. I would like this to be standard, not extensions, and it currently is not in 1.0. Next steps after SBoM would be (1) the vulnerability query to a sense making function asking if a SBoM complies to policy and (2) other language extensions needed for plugfest made standard ie look thru the extensions.

iPhone, iTypo, iApologize
From: openc2-lang@lists.oasis-open.org <openc2-lang@lists.oasis-open.org> on behalf of Considine, Toby <Toby.Considine@unc.edu>
Sent: Sunday, December 8, 2019 6:46:46 PM
To: openc2-lang@lists.oasis-open.org <openc2-lang@lists.oasis-open.org>
Subject: [openc2-lang] Meeting Monday of the Language Committee
 

This is the first step of the transition to the new schedule of First Mondays of the month. This month we are on the second week because I was out of the country and many time zones away last week.

 

I am looking to finalize the agenda by early morning (to allow folks to get to work and send me a note). It looks like the erratum passed in my absence, so that is good.

 

If no one makes any suggestions, then I will turn to some of my own language concerns, which is how OpenC2 addresses some of the broader concerns of Operational Technology (OT).

 

You can find my concerns on the use-cases github (https://github.com/oasis-tcs/openc2-usecases) It may or may not be in the main project or in a branch with my name on it depending upon when you look.

 

A significant new area, I think, is some sort of queries to improve situation awareness within the cybersecurity realm. What would this look like?

 

One does not get far into OT w/o running into the issues of alarms/events. Some operational control protocols do not distinguish, and term every thing that happened (furnace turned on!) as an alarm. IF we choose to support alarms, then OpenC2 must offer firmer guidance than this.

 

A key issue is that OT often supports critical infrastructure. If I turn of your power, I do not have to take down your server. If I overheat your server room, your firewall and malware prevention will avail you little. Does OpenC2 need new language for this area?

 

Many control protocols are somewhat obscure, very low level, and essentially occult to the traditional IT world. Some years ago, I worked on an effort to make control protocols travel safely over enterprise networks. OASIS OBIX 1.1 is freely available and can be a quick introduction to how the communications of operational things is developing, if you are interested.  As a control language abstraction, it is not exactly the same as the underlying protocols, but it is at least a document easy to get to.

http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.html

 

If you do not think that Situation Awareness and OT are the next challenges for the Language Subcommittee, what do you think we should consider next?

 

tc

 

 

 

 

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]