Simplifying SCAP Authoring
Joe Sain, MITRE
I’m reaching out on behalf of the Content Authoring Working Group of the SCAPv2 initiative.
After years of struggling with the complexity (and tedium) of OVAL/XCCDF authoring, we are tackling the problem and working to simplify the creation of security automation content. The project is in its formative stages and is moving quickly. After multiple in-person meetings and teleconferences, we’ve identified a set of incremental changes to OVAL/XCCDF and a tooling strategy designed to:
- Enable content authors with little-to-no OVAL/SCAP experience to write checks to address common operational requirements
- Enable content authors with OVAL/SCAP expertise to solve complex authoring problems efficiently
- Enable organizations to create and maintain non-trivial bodies of SCAP content more easily
Before we commit to a solution and start building, we want to ensure
that we’re solving the right problems in a useful way. We are also looking to
collect use case data from SCAP content authoring organizations to provide assurance that
we are scoping the project correctly. We have developed a set of specific questions about the kinds of OVAL/XCCDF
authoring that organizations perform, challenges they face, and capabilities they’d like to
see in a new, improved authoring solution.
We have been conducting phone
interviews to collect feedback. If you would like to offer your requirements and thoughts on SCAP authoring, please respond to this post and we will contact you. If it is more efficient, you could fill out the form (https://github.com/scapcommunity/authoring/blob/master/requirements/SCAP_Authoring_Use_Case_Question_Form_Final.dotx) and send it directly to my GMAIL account, JOESAIN. Our goal is to complete requirements gathering by the end of May.
.
Thank you for your feedback; it will be very helpful as we develop new and improved SCAP content authoring capabilities.
Regards,
Joe Sain
SCAP Content Authoring Sub-Group Lead
Anthony Borelli
Joe Sain
Hello Mr. Borelli –
We would love to receive your feedback on SCAP content authoring. Our goal is to develop requirements from a broad base of SCAP development organizations, including commercial, open source, and government. We can set up a time to discuss by telecon, or you could fill out the form at this link:
Please let me know your preference. My schedule is very flexible; please let me know what dates & times work for you.
Regards,
Joe Sain
From: scap...@list.nist.gov <scap...@list.nist.gov>
On Behalf Of Anthony Borelli
Sent: Tuesday, May 26, 2020 5:11 PM
To: SCAP Discussion and Development <scap...@list.nist.gov>
Subject: [EXT] [scap-dev] Re: Simplifying SCAP Authoring
I'm not sure if you are only seeking feedback from open-source SCAP developers, but if you want feedback from commercial developers as well, I'd be happy to answer some questions. I've been focused on SQL Server SCAP tool development,
and will be moving to Oracle shortly.
On Thursday, May 21, 2020 at 4:03:41 PM UTC-5, Joe Sain, MITRE wrote:
--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to
scap-dev+u...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to
scap-dev+u...@list.nist.gov.
Anthony Borelli
Organization and Interviewee Name:
Borelli Security Software Inc. Anthony Borelli
1. What type of SCAP content (vulnerability, specific compliance programs, OVAL, XCCDF, etc.) are you authoring and for what operating systems or applications?
|
☐ |
OVAL |
|
☒ |
XCCDF |
|
☒ |
Vulnerability Content (Specify Below) |
|
☐ |
Compliance Program Content (Specify Below) |
|
☐ |
Other (Specify Below) |
DISA STIGS for SQL Server 2014 and 2016
2. Approximately how many SCAP Content authors are there in your organization?
|
# |
OVAL |
|
2 |
XCCDF |
|
# |
Authors create all types of SCAP content |
|
# |
Other (Specify Content Type Below) |
Click or tap here to enter text.
3. What specific areas of content authoring are the most difficult for your authors?
|
☐ |
Getting content to run on multiple OVAL engines |
|
☐ |
Writing XML that validates |
|
☒ |
Learning what XML elements to populate |
|
☐ |
It is difficult to know what OVAL schemas to use |
|
☐ |
Other (Specify Below) |
Click or tap here to enter text.
4. What automation would assist you in the authoring of the content that you are developing?
|
☒ |
Automate creation of simple, common elements (registry key checks, etc.) |
|
☐ |
Support for macros that can be defined for common actions |
|
☐ |
Support for automated filing and tracking of versions to simplify reuse |
|
☒ |
Example templates |
|
☒ |
Support for managing complex structures |
|
☐ |
The ability to compose and split source data stream collections |
|
☐ |
Other (Specify Below) |
Click or tap here to enter text.
5. What customizations to existing SCAP content or 3rd party SCAP content do you perform?
We built our tool from scratch, actually, as there was no good starting point.
6. How do you store the content you create?
|
☐ |
Directories in a file system |
|
☐ |
Database |
|
☐ |
Content is loaded into scanning tools |
|
☐ |
GitHub/Other Source Control Mechanism (Specify Below) |
|
☐ |
Excel |
|
☒ |
Other (Specify Below) |
We write directly to the DISA checklists, but will probably back up a step to produce raw XCCDF output as well, to facilitate testing with NIST.
7. From which external SCAP sources do you collect content?
We scan SQL, AD, WMI, Policy Objects, OS Files/Folders/ACLs, Registry and Certificate hives.
8. What tools do you use to create SCAP content? What enhancements, if any, would you like to see with your current tools?
We built our own .NET application
9. How willing would you be to change the tools that you are currently using if a general-purpose SCAP authoring solution was to be developed?
Not very. The SQL STIGs required a lot of customization, and I’m not sure we could be as thorough with a third-party tool.
10. Are there any challenges your organization would face when adopting a new SCAP authoring solution?
|
☐ |
Programming language lock-in |
|
☐ |
Operating System Lock-in |
|
☒ |
Ongoing internal tool development |
|
☐ |
Browser-based versus compiled code |
|
☐ |
Other (Specify Below) |
Click or tap here to enter text.
11. Would your organization be willing to provide occasional feedback during the development of an authoring solution?
Possibly
12. Would your organization consider contributing software development resources toward the development of an SCAP authoring solution (architects, developers, beta testers)?
Probably not.
Requirements
Please specify importance of the following high-level features and capabilities to your organization:
· Simplified SCAP content creation for authors with little-to-no SCAP knowledge.
☐ Very important ☐ Somewhat important ☒ Not important
Comments:
Click or tap here to enter text.
· Tooling that makes SCAP experts more efficient (facilitating content re-use, ID management, change tracking, etc.).
☒ Very important ☐ Somewhat important ☐ Not important
Comments:
Click or tap here to enter text.
· Automation-friendly tooling (APIs, code libraries, etc.) that provides a simple, stable mechanism for generating SCAP component elements (OVAL elements, XCCDF Benchmarks, etc.).
☒ Very important ☐ Somewhat important ☐ Not important
Comments:
Click or tap here to enter text.
· Support for the latest SCAP component specification versions (OVAL, XCCDF, etc.).
☒ Very important ☐ Somewhat important ☐ Not important
Comments:
Click or tap here to enter text.
· Support for legacy SCAP component specification versions more than a few years old.
☒ Very important ☐ Somewhat important ☐ Not important
Comments:
Click or tap here to enter text.
· Creating individual OVAL Definitions and OVAL Definitions Files (no XCCDF Benchmark).
☐ Very important ☐ Somewhat important ☒ Not important
Comments:
Click or tap here to enter text.
· Creating XCCDF Benchmarks using existing OVAL checks (no OVAL creation).
☐ Very important ☐ Somewhat important ☒ Not important
Comments:
Click or tap here to enter text.
· Creating XCCDF Benchmarks and corresponding OVAL checks.
☐ Very important ☐ Somewhat important ☒ Not important
Comments:
Click or tap here to enter text.
Additional Capabilities
Which of the following capabilities would you be interested in seeing in a general-purpose SCAP authoring tool?
|
☒ |
The ability to specify common actions (e.g., "check registry key," "check file presence") and have the tool generate content without forcing the author to understand the underlying OVAL/XCCDF language structures. |
|
☒ |
Support for version/revision control in your tools for content. |
|
☐ |
The ability to define "macros" and "libraries" that can be saved to be used in future content. |
|
☐ |
The ability to compose and split source data stream collections |
|
☐ |
Difference tracking between content sources. |
|
☐ |
Other (Specify Below) |
Click or tap here to enter text.
Do you have any other comments or suggestions?
Click or tap here to enter text.
Thank you for your time! We would like to host the responses on the SCAP Community GitHub site, which is open to the public. Do you have any issues with your responses becoming part of that public collection?
Interviewer:
Click or tap here to enter text.
To unsubscribe from this group, send email to sca...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap...@list.nist.gov.
Joe Sain
Thank you for your response, Mr. Borelli!
To unsubscribe from this group, send email to scap-dev+u...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev+u...@list.nist.gov.