Minutes from the September 16 telecon

7 views
Skip to first unread message

Charles Schmidt

unread,
Sep 16, 2020, 7:28:17 PM9/16/20
to scap-dev-endpoint
Hi all,

Below are my minutes from the September 16 telecon. Comments and corrections are welcome.

Thanks,
Charles

----------------

Attending: Attending: Stephen Banghart (NIST), Dave Kemp (DOD), Danny Martinez (HII-TSD), Charles Schmidt (MITRE), Jessica Fitzgerald-McKay (DOD), David Solin (Joval), Adam Montville (CIS)


OCA

-          Charles reported that MITRE has approved the code for release to OCA, pending approval from Jessica’s team. Jessica said that she hoped to have the code release approval in a couple of weeks.

-          Charles reported that there were no updates on the prototype. Danny Haynes is focusing on code cleanup and preparation for the workshop in two weeks. Because of that, Charles said he did not expect significant progress on the code in the coming weeks either.

-          Charles will forward the invite to the OCA webinar where the SCAP architecture project will be announced to the regular meeting participants.


SCAP Prototype

-          Charles and Dave K. noted that the slides describing the prototype could use some cosmetic updates, but the data in them appears to be sufficient to move forward.

-          Adam suggested that, in terms of identifying the next implementation priorities, we should focus on the more foundational questions. He gave the example of applicability evaluation, noting that it will have a long reach and will be hard to change later.

-          Dave K. explained that the files he share based on the SCAP prototype slides are the sorts of tables OpenC2 uses to define things. He noted that the format is not just descriptive, but can build JSON schemas to validate content (and might eventually be used to create XSDs). The plan will be to evolve his tables in parallel with developments in the SCAP prototype.


SCAP Workshop

-          Dave agreed to present an overview of OpenC2. (20-30 minutes)

-          Charles agreed to present an overview of the SCAP architecture (~60 minutes)

-          Stephen recommended that the group note that OCA is a possible venue for prototype work by other workgroups.

-          No one had other topics. Stephen encouraged people to brainstorm ideas (soon).


SCAP Validation

-          Adam asked about the timeline for the SCAP 2.0 validation program. Stephen responded that it was probably years away (or 6-12 months post actual publication of a standard). He recommended that organizations not postpone SCAP 1.3 validation.

-          It was noted that interest in SCAP validation appears to have decreased over the years. Stephen felt that this was a case of the key problems that vendors are trying to solve have moved beyond what SCAP 1 does, but that SCAP 2 is trying to address those problems. As such, he feels interest in SCAP 1 is a poor indicator for likely interest in SCAP 2


SWIDs and SBOMs

-          Dave K. mentioned that someone had asked him about the relationship between SCAP and SBOMs. He noted that SCAP could be used to collect SBOMs and thus help with dependency tracing. He suggested that this might be something to clarify to the community as a way to demonstrate SCAP value.

-          Stephen noted that SCAP 2 will use SWIDs and that use of SWIDs for SBOMs is also being worked. He noted that NVD will switch from CPE to SWID. Other SBOM standards might be employed by parties (e.g., SPDX or CycloneDX) and that NIST is working on mappings for compatibility.

 

====== ACTION ITEMS =========

Charles – Forward the group the invitation to the OCA webinar for September 22.

Everyone – Brainstorm discussion topics for the SCAP v2 workshop.

Charles – Prepare and share slides for the SCAP Architecture presentation.

Reply all
Reply to author
Forward
0 new messages