SCAPv2 - OVAL Authoring Ideas

33 views
Skip to first unread message

David Ries

unread,
Aug 28, 2019, 12:11:59 AM8/28/19
to scap-d...@list.nist.gov
Hello All,

During the last call, I was asked to share a bit more detail about one of the OVAL/SCAP content authoring approaches we’ve experimented with. This approach was designed to enable content authors with varying expertise in the standards to collaborate efficiently: SCAP experts can solve challenging authoring problems in a way that is easily reused by those with little-to-no SCAP-specific knowledge.

The authoring application can be thought of as having 4 tiers:

1) The Authoring Core
This foundational layer includes the application logic and a variety of capabilities to designed to simplify common authoring issues such as creating OVAL ids, canonicalizing and deduplicating elements, resolving dependencies between elements, etc.

2) The OVAL/SCAP Model 
This layer is a programmatic model of OVAL, XCCDF, ARF, etc. So, for example, it has a programmatic implementation of each of the core OVAL element types (definition, test, object, state, variable) and implementations for each specific OVAL test, object, state and variable. This allows an author to create a new Windows.FileTest(), Windows.FileObject(), Windows.FileState(), etc. These implementations very closely model the OVAL element they represent--there is no real simplification in this layer. In other words, you can author content using the OVAL/SCAP Model directly, but it requires the same OVAL expertise as writing OVAL XML without an authoring tool.

3) The Plugin Layer
This layer is composed of plugins written by OVAL/SCAP experts that simplify specific authoring use cases. Most plugins are functions with simple signatures that use the OVAL/SCAP Model to generate OVAL. For example, a Windows.DirectoryExists(<path>) function would use the Model to create the required Windows file_test and file_object. Other examples include: Windows.AcrobatReaderIsInstalled(); Cisco.SnmpMibsIncluded(<mibs>); etc.

4) The Control Definition Layer
Using this layer, content authors with little-to-no SCAP-specific knowledge can create SCAP content in YAML or a scripting language by combining Plugin calls with some simple syntax provided by the Authoring Core (AND/OR, etc.).

We’ve implemented this approach for specific customer use cases with some success. In our case, the customers no SCAP expertise. They write/maintain “Control Definitions” in YAML and the tool outputs SCAP content. When they need to write something they don’t have a Plugin for, they describe the need to us and we write the Plugin.

Best,
David

David E. Ries
Co-Founder, Business Development
ri...@jovalcm.com

Joval Continuous Monitoring

Facebook Linkedin


Reply all
Reply to author
Forward
0 new messages