Access Vulnerability Database with Java

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Access Vulnerability Database with Java

vulists
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Danny Haynes
Administrator
Hi,

Are there specific vulnerability database that you are looking to access?

For a quick overview of some of the things that you mentioned.

OVAL is an xml-based language that provides a framework for making assertions
about a system's state.  It does so by standardizing the three steps of the
assessment process: (1) expressing the expected state of a system (OVAL
Definitions), (2) expressing the system's current state (OVAL System
Characteristics), (3) expressing the results of comparing the expected system
state against the current system state (OVAL Results).  The following diagram
shows how OVAL works.

How OVAL Works
http://oval.mitre.org/about/images/how_oval_works.pdf

From there, you can write OVAL Definitions, run them with an OVAL-capable tool
(like OpenVAS), generate OVAL System Characteristics, and generate OVAL
Results showing the results of the assessment.  You can find a list of
OVAL-capable tools and a list of OVAL content repositories at the following
links.

OVAL-Capable Products
http://oval.mitre.org/adoption/productlist.html

OVAL Content Repositories
http://oval.mitre.org/repository/about/other_repositories.html

Also, are you looking to parse OVAL Definitions or some other XML format?

Any additional information that you could provide, would be greatly
appreciated?

Thanks,

Danny

>-----Original Message-----
>From: vulists [mailto:[hidden email]]
>Sent: Friday, April 27, 2012 9:49 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
>
>Hi There,
>
>I'm looking for a way to access a Vulnerability Database with Java.
>
>At the moment I'm not 100% sure if its gonna be OpenVAS or something
>else, like e.g. OVAL.
>
>I wanted to ask, if somebody knows some ready-to-use Java API to access
>"one of those" Vulnerability Databases.
>
>If thats not the case, does it mean I have to implement my own XML
>Parser to get the vulnerability data into my database?
>
>What about standard formats?
>
>
>Thanks and kind regards
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to
>OVAL-DEVELOPER-
>[hidden email].
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

joval
In reply to this post by vulists
jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Luis Nunez
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

-ln



On Apr 27, 2012, at 5:39 PM, David Solin wrote:

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

joval
We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

-ln



On Apr 27, 2012, at 5:39 PM, David Solin wrote:

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

gauravphoenix
I think it is a great idea. Currently I am associating file names with platforms based upon their name -for Windows 7 definitions, I am using microsoft.windows.7.xml. It would be nice if we can have meta-data associated with content repositories. It can include details like- last updated, md5/sha1 hash, size, # of defs etc

On Sat, Apr 28, 2012 at 9:37 AM, David Solin <[hidden email]> wrote:
We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David


On 4/28/2012 6:56 AM, Luis Nunez wrote:
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

-ln



On Apr 27, 2012, at 5:39 PM, David Solin wrote:

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Kent Landfield
In reply to this post by joval
This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

Couple links to past presentations.




There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

This is one of the topics I would like to see developed on the SCAM list.

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

-ln



On Apr 27, 2012, at 5:39 PM, David Solin wrote:

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Kent Landfield
;-)

As was properly pointed out to me …there was a typo in my message…

"This is one of the topics I would like to see developed on the SCAM list."

Should have been…

This is one of the topics I would like to see developed on the SACM list.

;-)

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

Couple links to past presentations.




There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

This is one of the topics I would like to see developed on the SCAM list.

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

-ln



On Apr 27, 2012, at 5:39 PM, David Solin wrote:

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,

I'm looking for a way to access a Vulnerability Database with Java.

At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.

I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.

If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?

What about standard formats?


Thanks and kind regards

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Chandrashekhar B
In reply to this post by joval

We currently have a simple web services interface in our repo, given the ID, it’ll fetch any of the SCAP entity. NISTIR-7799 has I2.1 and I2.2 interfaces which define to some extent. Looking forward for the standardization effort.

 

Thanks,

Chandra.

 

From: David Solin [mailto:[hidden email]]
Sent: Saturday, April 28, 2012 10:08 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:



jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Jon Baker
Administrator
In reply to this post by gauravphoenix

We would certainly would try to support a standard interface to the OVAL Repository. If there is interest in the OVAL community we could hash out the OVAL specific portion of the larger set of security automation content interfaces that are needed. We could be fairly agile in developing and testing interfaces in the OVAL Repository if that would help us to come to agreement around what the standard set should be. We would be happy to facilitate the community development of repository interfaces.

 

People have been asking for standard content repository interfaces for a long time. Perhaps if we start with figuring out what is needed for OVAL and implementing it we will be able to make some progress as a community towards addressing the larger need.

 

As a reminder, in addition to the normal web interface to the repository we have provided a few other ways to grab content from the repository.

 

-          Content RSS Feed - https://oval.mitre.org/repository/data/rss

This link provides some more information about the query parameters that are supported by the repository feed: https://oval.mitre.org/rss.html

 

-          Download Definition By ID - https://oval.mitre.org/repository/data/DownloadDefinition?id=<YOUR ID HERE>

 

-          Download Test/Object/State/Variable By ID - https://oval.mitre.org/repository/data/DownloadItem?id=<YOUR ID HERE>

 

These are far from the complete set of interfaces that are needed, but they are available in the OVAL Repository today.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Saturday, April 28, 2012 3:30 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

I think it is a great idea. Currently I am associating file names with platforms based upon their name -for Windows 7 definitions, I am using microsoft.windows.7.xml. It would be nice if we can have meta-data associated with content repositories. It can include details like- last updated, md5/sha1 hash, size, # of defs etc

On Sat, Apr 28, 2012 at 9:37 AM, David Solin <[hidden email]> wrote:

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David



On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:



jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

joval
I've been thinking about how a user might interact with such a capability from a tool like jOVAL or ovaldi, and really I can't think of a way that it would be practical and useful.  Even if you could do something like upload the CPE ID if your target system, you wouldn't necessarily always want to scan for every definition that's conceivably applicable.  What you really need is some way to assign the definitions that are relevant, then have them sucked down automatically by the scanner.

Interestingly, this is an issue that XCCDF has already solved to some extent.  An XCCDF document has profiles -- so in that way it already defines what definitions are relevant.  XCCDF also has check "hrefs", which make it possible for the definition to be fetched from a URL that may point to a dynamic repository.  Perhaps better still are XCCDF 1.2 streams, which define checks inline with the rest of the XCCDF (more or less) -- so the whole XCCDF document could be generated dynamically by a server.  Working from that angle, you'd only need a URL and a profile name to pull down all the definitions you want.

XCCDF covers more than just OVAL, however; not sure if that's considered an issue or a bonus! :)

Regards,
--David Solin

On 4/30/2012 6:29 AM, Baker, Jon wrote:

We would certainly would try to support a standard interface to the OVAL Repository. If there is interest in the OVAL community we could hash out the OVAL specific portion of the larger set of security automation content interfaces that are needed. We could be fairly agile in developing and testing interfaces in the OVAL Repository if that would help us to come to agreement around what the standard set should be. We would be happy to facilitate the community development of repository interfaces.

 

People have been asking for standard content repository interfaces for a long time. Perhaps if we start with figuring out what is needed for OVAL and implementing it we will be able to make some progress as a community towards addressing the larger need.

 

As a reminder, in addition to the normal web interface to the repository we have provided a few other ways to grab content from the repository.

 

-          Content RSS Feed - https://oval.mitre.org/repository/data/rss

This link provides some more information about the query parameters that are supported by the repository feed: https://oval.mitre.org/rss.html

 

-          Download Definition By ID - https://oval.mitre.org/repository/data/DownloadDefinition?id=<YOUR ID HERE>

 

-          Download Test/Object/State/Variable By ID - https://oval.mitre.org/repository/data/DownloadItem?id=<YOUR ID HERE>

 

These are far from the complete set of interfaces that are needed, but they are available in the OVAL Repository today.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [[hidden email]]
Sent: Saturday, April 28, 2012 3:30 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

I think it is a great idea. Currently I am associating file names with platforms based upon their name -for Windows 7 definitions, I am using microsoft.windows.7.xml. It would be nice if we can have meta-data associated with content repositories. It can include details like- last updated, md5/sha1 hash, size, # of defs etc

On Sat, Apr 28, 2012 at 9:37 AM, David Solin <[hidden email]> wrote:

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David



On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:



jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: [Content Repositories] Access Vulnerability Database with Java

Luis Nunez
Cross listing to SACM.  

Depicted in slide 6 of:
http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

We see three layers. Authoritative, Organizational and Tool Vendor content.  I think we can evolve to creating a dynamic query once we establish a "Query/Response" protocol between these entities. Question: is there an existing protocol we can leverage?  Preference being something that has TLS support.

As for "Global Registry".  Will having one central registry suffice or will there need to be a disturbed/decentralized regional registry.  This a bigger problem to address along long the lines of globalizing CVE.  But in any case a common protocol to connect will be needed.

-ln

On Apr 30, 2012, at 8:52 AM, David Solin wrote:

> I've been thinking about how a user might interact with such a capability from a tool like jOVAL or ovaldi, and really I can't think of a way that it would be practical and useful.  Even if you could do something like upload the CPE ID if your target system, you wouldn't necessarily always want to scan for every definition that's conceivably applicable.  What you really need is some way to assign the definitions that are relevant, then have them sucked down automatically by the scanner.
>
> Interestingly, this is an issue that XCCDF has already solved to some extent.  An XCCDF document has profiles -- so in that way it already defines what definitions are relevant.  XCCDF also has check "hrefs", which make it possible for the definition to be fetched from a URL that may point to a dynamic repository.  Perhaps better still are XCCDF 1.2 streams, which define checks inline with the rest of the XCCDF (more or less) -- so the whole XCCDF document could be generated dynamically by a server.  Working from that     angle, you'd only need a URL and a profile name to pull down all the definitions you want.
>
> XCCDF covers more than just OVAL, however; not sure if that's considered an issue or a bonus! :)
>
> Regards,
> --David Solin
>
> On 4/30/2012 6:29 AM, Baker, Jon wrote:
>> We would certainly would try to support a standard interface to the OVAL Repository. If there is interest in the OVAL community we could hash out the OVAL specific portion of the larger set of security automation content interfaces that are needed. We could be fairly agile in developing and testing interfaces in the OVAL Repository if that would help us to come to agreement around what the standard set should be. We would be happy to facilitate the community             development of repository interfaces.
>>  
>> People have been asking for standard content repository interfaces for a long time. Perhaps if we start with figuring out what is needed for OVAL and implementing it we will be able to make some progress as a community towards addressing the larger need.
>>  
>> As a reminder, in addition to the normal web interface to the repository we have provided a few other ways to grab content from the repository.
>>  
>> -          Content RSS Feed - https://oval.mitre.org/repository/data/rss
>> This link provides some more information about the query parameters that are supported by the repository feed: https://oval.mitre.org/rss.html
>>  
>> -          Download Definition By ID - https://oval.mitre.org/repository/data/DownloadDefinition?id=<YOUR ID HERE>
>>  
>> -          Download Test/Object/State/Variable By ID - https://oval.mitre.org/repository/data/DownloadItem?id=<YOUR ID HERE>
>>  
>> These are far from the complete set of interfaces that are needed, but they are available in the OVAL Repository today.
>>  
>> Thanks,
>>  
>> Jon
>>  
>> ============================================
>> Jonathan O. Baker
>> G022 - IA Industry Collaboration
>> The MITRE Corporation
>> Email: [hidden email]
>>  
>> From: Gaurav Kumar [mailto:[hidden email]]
>> Sent: Saturday, April 28, 2012 3:30 PM
>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>> Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
>>  
>> I think it is a great idea. Currently I am associating file names with platforms based upon their name -for Windows 7 definitions, I am using microsoft.windows.7.xml. It would be nice if we can have meta-data associated with content repositories. It can include details like- last updated, md5/sha1 hash, size, # of defs etc
>>
>> On Sat, Apr 28, 2012 at 9:37 AM, David Solin <[hidden email]> wrote:
>> We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?
>>
>> Regards,
>> --David
>>
>>
>> On 4/28/2012 6:56 AM, Luis Nunez wrote:
>> You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.
>>  
>> It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.
>>  
>> -ln
>>  
>>  
>>  
>> On Apr 27, 2012, at 5:39 PM, David Solin wrote:
>>
>>
>> jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.
>>
>> Feel free to contact me directly if you have any questions.
>>
>> Regards,
>> --David Solin
>>
>> --
>> jOVAL.org: OVAL implemented in Java.
>> Scan any machine from any machine. For free!
>> Learn More | Features | Download
>>
>>
>> On 4/27/2012 8:48 AM, vulists wrote:
>> Hi There,
>>  
>> I'm looking for a way to access a Vulnerability Database with Java.
>>  
>> At the moment I'm not 100% sure if its gonna be OpenVAS or something
>> else, like e.g. OVAL.
>>  
>> I wanted to ask, if somebody knows some ready-to-use Java API to access
>> "one of those" Vulnerability Databases.
>>  
>> If thats not the case, does it mean I have to implement my own XML
>> Parser to get the vulnerability data into my database?
>>  
>> What about standard formats?
>>  
>>  
>> Thanks and kind regards
>>  
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>>  
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>  
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>  
>>
>> --
>> jOVAL.org: OVAL implemented in Java.
>> Scan any machine from any machine. For free!
>> Learn More | Features | Download
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>>
>>
>>  
>> --
>>
>> Gaurav Kumar
>> Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695
>>  
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
>
>
> --
> jOVAL.org: OVAL implemented in Java.
> Scan any machine from any machine. For free!
> Learn More | Features | Download
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

vulists
In reply to this post by joval
Hi David,

Thank you for your reply! I was busy over the weekend and thats why I'm
replying now.

My basic concern at the moment is, how to access and query the (OpenVAS)
database. In terms of performance, I'm thinking to hold a local copy of
all the data and update it incrementally.

Is that possible with jOVAL? If not, what should I use or do?



thanks!


> jOVAL provides a ready-to-use JAXB data model for the OVAL language,
> various utility classes, and of course, an evaluation engine and scan
> plug-ins.  It does not, however, implement access to any on-line
> repositories.
>
> Feel free to contact me directly if you have any questions.
>
> Regards,
> --David Solin
>
> --
>
>
> jOVAL.org: OVAL implemented in Java.
> Scan any machine from any machine. For free!
> Learn More | Features | Download
>
>
>
> On 4/27/2012 8:48 AM, vulists wrote:
> > Hi There,
> >
> > I'm looking for a way to access a Vulnerability Database with Java.
> >
> > At the moment I'm not 100% sure if its gonna be OpenVAS or something
> > else, like e.g. OVAL.
> >
> > I wanted to ask, if somebody knows some ready-to-use Java API to access
> > "one of those" Vulnerability Databases.
> >
> > If thats not the case, does it mean I have to implement my own XML
> > Parser to get the vulnerability data into my database?
> >
> > What about standard formats?
> >
> >
> > Thanks and kind regards
> >
> > To unsubscribe, send an email message to [hidden email] with
> > SIGNOFF OVAL-DEVELOPER-LIST
> > in the BODY of the message.  If you have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

vulists
In reply to this post by Danny Haynes
Hi Danny,

Thanks for your reply!

> Hi,
>
> Are there specific vulnerability database that you are looking to access?

At the moment, I'm thinking about using OpenVAS (OVAL), but there're
thoughts about using the "National Vulnerability Database" (NVD) as well
as CVE (http://cve.mitre.org/).

I'm new to this sector, so its quite difficult to decide, which one is
the one with good support in the future...

>
> For a quick overview of some of the things that you mentioned.
>
> OVAL is an xml-based language that provides a framework for making assertions
> about a system's state.  It does so by standardizing the three steps of the
> assessment process: (1) expressing the expected state of a system (OVAL
> Definitions), (2) expressing the system's current state (OVAL System
> Characteristics), (3) expressing the results of comparing the expected system
> state against the current system state (OVAL Results).  The following diagram
> shows how OVAL works.
>
> How OVAL Works
> http://oval.mitre.org/about/images/how_oval_works.pdf
>
> From there, you can write OVAL Definitions, run them with an OVAL-capable tool
> (like OpenVAS), generate OVAL System Characteristics, and generate OVAL
> Results showing the results of the assessment.  You can find a list of
> OVAL-capable tools and a list of OVAL content repositories at the following
> links.
>
> OVAL-Capable Products
> http://oval.mitre.org/adoption/productlist.html
>
> OVAL Content Repositories
> http://oval.mitre.org/repository/about/other_repositories.html
>
> Also, are you looking to parse OVAL Definitions or some other XML format?

Yes, I think so.

I've have some scan results in an arbitrary format which are kept in a
database. I have to check those scan results against some vulnerability
database to find out, if there are security concerns.

>
> Any additional information that you could provide, would be greatly
> appreciated?
>
> Thanks,
>
> Danny



kind regards

Tobias

>
> >-----Original Message-----
> >From: vulists [mailto:[hidden email]]
> >Sent: Friday, April 27, 2012 9:49 AM
> >To: oval-developer-list OVAL Developer List/Closed Public Discussion
> >Subject: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
> >
> >Hi There,
> >
> >I'm looking for a way to access a Vulnerability Database with Java.
> >
> >At the moment I'm not 100% sure if its gonna be OpenVAS or something
> >else, like e.g. OVAL.
> >
> >I wanted to ask, if somebody knows some ready-to-use Java API to access
> >"one of those" Vulnerability Databases.
> >
> >If thats not the case, does it mean I have to implement my own XML
> >Parser to get the vulnerability data into my database?
> >
> >What about standard formats?
> >
> >
> >Thanks and kind regards
> >
> >To unsubscribe, send an email message to [hidden email] with
> >SIGNOFF OVAL-DEVELOPER-LIST
> >in the BODY of the message.  If you have difficulties, write to
> >OVAL-DEVELOPER-
> >[hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Waltermire, David A.
In reply to this post by Kent Landfield

With some of the current email discussion, I’d like to provide a brief update on some projects my team has been working on in this area.  We are currently working on the following activities:

 

1)      Prototyping a federated, generalized XML-based content repository approach.  The current effort is using a metamodel to describe the key objects (called “entities”) in an XML model and the content references (called “relationships”) that exist within an XML document.  We have developed a shredder that reads in an XML instance, breaking down the entities and relationships.  It then persists the XML chunks in an XML database and the entity and relationship information in a non-relational RDF database.  We can also request the content back out of the datastore and reconstitute it.  The approach we are using does not perturb the underlying XML infoset, so signatures can be verified for content retrieved out of the repository.

 

We are currently working on web service (SOAP and REST) interfaces and a generalized query language.  Our current development phase will end in the next couple months.  We hope to have a downloadable demo available before Security Automation Developer Days in early July that will support requesting an SCAP datastream or a collection of OVAL/OCIL definitions (and related components) by identifier and version.

 

We are avoiding the registration problem by extracting a DNS name out of the content identifier. 

 

For example the content referenced by:

 

oval:org.mitre.oval:def:1

 

Can be retrieved by the content server “oval.mitre.org”.

 

The plan is to use this to lookup a DNS SRV record (RFC 2782) to locate the repository that is responsible for the content identified.  This can be used to dynamically retrieve the referenced content.  We are just starting to work out an XML format for repository-to-repository information exchange to enable this communication.

 

At this point our current repository code is not far from replacing the data backend that is used for the OVAL repository.  The cool thing about the overall approach is that no OVAL specific code is necessary.  We have created XML-based shredding rules for SCAP datastream, OVAL 5.10.1 and XCCDF 1.2 formats.  It is fairly trivial to create new shredding rules for additional models.

 

You can review the code at:

 

http://code.google.com/p/security-automation-content-repository/

 

Most of our work is being done in the SVN branch:

 

http://security-automation-content-repository.googlecode.com/svn/branches/new-shredder

 

The documentation is very sparse and the code needs some cleanup.  We plan to work on this in the near future.  Our long-term goal is to provide a freely available, production capable content repository server that can participate in a federated network of content servers.

 

2)      We have also been working on a content repository specification.  The goal for this document is to describe the overall federation approach and to detail the data exchange models, interfaces and transports needed to support interoperability.  I plan to have a draft of this specification ready in September.  I would be happy to submit this as an individual submission to the IETF when it is more complete.

 

My hope is that this work will address many of the communities challenges in this area.  I’d appreciate any thoughts or feedback on this overall approach.  Please let me know if you have any questions.  I have also requested a session at the Security Automation Developer Days hosted by MITRE in early July to review and discuss this work in greater detail.

 

Sincerely,

Dave Waltermire

 

From: Kent Landfield [mailto:[hidden email]]
Sent: Saturday, April 28, 2012 6:17 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

;-)

 

As was properly pointed out to me …there was a typo in my message…

 

"This is one of the topics I would like to see developed on the SCAM list."

 

Should have been…

 

This is one of the topics I would like to see developed on the SACM list.

 

;-)

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

 

Couple links to past presentations.

 

 

 

 

There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

 

This is one of the topics I would like to see developed on the SCAM list.

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:



jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Access Vulnerability Database with Java

Serkan Özkan
Hello,
As some of you may already know my site, www.itsecdb.com, collects OVAL definitions from multiple sources processes and provides a human readable interface. My code processes OVAL definitions and stores them in a mysql database. 

If someone, for example mitre, sponsors the work and hosting I can develop a web service interface to query definitions. So we can create public repository which can be queried by not only definitions ids but any value like version numbers, filenames etc. For example if you have schannel.dll version 5.2.3790.4724 you can query the database and get a list of definitions that use this version number of this file. (You can already do this manually at itsecdb.com but there is no API access available)

I had not thought about doing something like this before but this discussion made me think that this may be possible, just an idea.
Regards,
Serkan Özkan


On Thu, May 3, 2012 at 12:34 AM, Waltermire, David A. <[hidden email]> wrote:

With some of the current email discussion, I’d like to provide a brief update on some projects my team has been working on in this area.  We are currently working on the following activities:

 

1)      Prototyping a federated, generalized XML-based content repository approach.  The current effort is using a metamodel to describe the key objects (called “entities”) in an XML model and the content references (called “relationships”) that exist within an XML document.  We have developed a shredder that reads in an XML instance, breaking down the entities and relationships.  It then persists the XML chunks in an XML database and the entity and relationship information in a non-relational RDF database.  We can also request the content back out of the datastore and reconstitute it.  The approach we are using does not perturb the underlying XML infoset, so signatures can be verified for content retrieved out of the repository.

 

We are currently working on web service (SOAP and REST) interfaces and a generalized query language.  Our current development phase will end in the next couple months.  We hope to have a downloadable demo available before Security Automation Developer Days in early July that will support requesting an SCAP datastream or a collection of OVAL/OCIL definitions (and related components) by identifier and version.

 

We are avoiding the registration problem by extracting a DNS name out of the content identifier. 

 

For example the content referenced by:

 

oval:org.mitre.oval:def:1

 

Can be retrieved by the content server “oval.mitre.org”.

 

The plan is to use this to lookup a DNS SRV record (RFC 2782) to locate the repository that is responsible for the content identified.  This can be used to dynamically retrieve the referenced content.  We are just starting to work out an XML format for repository-to-repository information exchange to enable this communication.

 

At this point our current repository code is not far from replacing the data backend that is used for the OVAL repository.  The cool thing about the overall approach is that no OVAL specific code is necessary.  We have created XML-based shredding rules for SCAP datastream, OVAL 5.10.1 and XCCDF 1.2 formats.  It is fairly trivial to create new shredding rules for additional models.

 

You can review the code at:

 

http://code.google.com/p/security-automation-content-repository/

 

Most of our work is being done in the SVN branch:

 

http://security-automation-content-repository.googlecode.com/svn/branches/new-shredder

 

The documentation is very sparse and the code needs some cleanup.  We plan to work on this in the near future.  Our long-term goal is to provide a freely available, production capable content repository server that can participate in a federated network of content servers.

 

2)      We have also been working on a content repository specification.  The goal for this document is to describe the overall federation approach and to detail the data exchange models, interfaces and transports needed to support interoperability.  I plan to have a draft of this specification ready in September.  I would be happy to submit this as an individual submission to the IETF when it is more complete.

 

My hope is that this work will address many of the communities challenges in this area.  I’d appreciate any thoughts or feedback on this overall approach.  Please let me know if you have any questions.  I have also requested a session at the Security Automation Developer Days hosted by MITRE in early July to review and discuss this work in greater detail.

 

Sincerely,

Dave Waltermire

 

From: Kent Landfield [mailto:[hidden email]]
Sent: Saturday, April 28, 2012 6:17 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

;-)

 

As was properly pointed out to me …there was a typo in my message…

 

"This is one of the topics I would like to see developed on the SCAM list."

 

Should have been…

 

This is one of the topics I would like to see developed on the SACM list.

 

;-)

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: <a href="tel:%2B1.972.963.7096" value="+19729637096" target="_blank">+1.972.963.7096 
Mobile: <a href="tel:%2B1.817.637.8026" value="+18176378026" target="_blank">+1.817.637.8026
Web: www.mcafee.com

 

From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

 

Couple links to past presentations.

 

 

 

 

There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

 

This is one of the topics I would like to see developed on the SCAM list.

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: <a href="tel:%2B1.972.963.7096" value="+19729637096" target="_blank">+1.972.963.7096 
Mobile: <a href="tel:%2B1.817.637.8026" value="+18176378026" target="_blank">+1.817.637.8026
Web: www.mcafee.com

 

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:



jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

Waltermire, David A.
In reply to this post by Waltermire, David A.

Yes.  We plan to provide a Java client resolver API and a command line utility similar to DNS.  We will also be seeking comments on the service interfaces once we have some running code and documentation.

 

Sincerely,

Dave

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Wednesday, May 02, 2012 7:57 PM
To: [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

Hi David,

Will this project include a reference client implementation?  Will your team be seeking comments on the REST and SOAP interfaces?

Regards,
--David Solin

On 5/2/2012 6:34 PM, Michael Hammer wrote:

David,

 

Is there any IPR associated with this?

 

Mike

 

 

From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A.
Sent: Wednesday, May 02, 2012 5:34 PM
To: OVAL Developer List (Closed Public Discussion); [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

With some of the current email discussion, I’d like to provide a brief update on some projects my team has been working on in this area.  We are currently working on the following activities:

 

1)     Prototyping a federated, generalized XML-based content repository approach.  The current effort is using a metamodel to describe the key objects (called “entities”) in an XML model and the content references (called “relationships”) that exist within an XML document.  We have developed a shredder that reads in an XML instance, breaking down the entities and relationships.  It then persists the XML chunks in an XML database and the entity and relationship information in a non-relational RDF database.  We can also request the content back out of the datastore and reconstitute it.  The approach we are using does not perturb the underlying XML infoset, so signatures can be verified for content retrieved out of the repository.

 

We are currently working on web service (SOAP and REST) interfaces and a generalized query language.  Our current development phase will end in the next couple months.  We hope to have a downloadable demo available before Security Automation Developer Days in early July that will support requesting an SCAP datastream or a collection of OVAL/OCIL definitions (and related components) by identifier and version.

 

We are avoiding the registration problem by extracting a DNS name out of the content identifier. 

 

For example the content referenced by:

 

oval:org.mitre.oval:def:1

 

Can be retrieved by the content server “oval.mitre.org”.

 

The plan is to use this to lookup a DNS SRV record (RFC 2782) to locate the repository that is responsible for the content identified.  This can be used to dynamically retrieve the referenced content.  We are just starting to work out an XML format for repository-to-repository information exchange to enable this communication.

 

At this point our current repository code is not far from replacing the data backend that is used for the OVAL repository.  The cool thing about the overall approach is that no OVAL specific code is necessary.  We have created XML-based shredding rules for SCAP datastream, OVAL 5.10.1 and XCCDF 1.2 formats.  It is fairly trivial to create new shredding rules for additional models.

 

You can review the code at:

 

http://code.google.com/p/security-automation-content-repository/

 

Most of our work is being done in the SVN branch:

 

http://security-automation-content-repository.googlecode.com/svn/branches/new-shredder

 

The documentation is very sparse and the code needs some cleanup.  We plan to work on this in the near future.  Our long-term goal is to provide a freely available, production capable content repository server that can participate in a federated network of content servers.

 

2)     We have also been working on a content repository specification.  The goal for this document is to describe the overall federation approach and to detail the data exchange models, interfaces and transports needed to support interoperability.  I plan to have a draft of this specification ready in September.  I would be happy to submit this as an individual submission to the IETF when it is more complete.

 

My hope is that this work will address many of the communities challenges in this area.  I’d appreciate any thoughts or feedback on this overall approach.  Please let me know if you have any questions.  I have also requested a session at the Security Automation Developer Days hosted by MITRE in early July to review and discuss this work in greater detail.

 

Sincerely,

Dave Waltermire

 

From: Kent Landfield [hidden email]
Sent: Saturday, April 28, 2012 6:17 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

;-)

 

As was properly pointed out to me …there was a typo in my message…

 

"This is one of the topics I would like to see developed on the SCAM list."

 

Should have been…

 

This is one of the topics I would like to see developed on the SACM list.

 

;-)

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

 

Couple links to past presentations.

 

 

 

 

There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

 

This is one of the topics I would like to see developed on the SCAM list.

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:

 

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].




_______________________________________________
sacm mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/sacm

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

Luis Nunez
<base href="x-msg://3096/">Hi Dave,
Thanks for the update on the prototype repository.  Does this effort fall into the use case:
 "3.4.  UC4: Secure Exchange of Governance, Risk and Compliance (GRC) Information

   Sharing security and/or operationally relevant information within and
   across trust boundaries using secure, automated communication
   channels and formats."

I see this prototype as a building block in achieving this use case.  

What do others think.


-ln

On May 3, 2012, at 9:35 AM, Waltermire, David A. wrote:

Yes.  We plan to provide a Java client resolver API and a command line utility similar to DNS.  We will also be seeking comments on the service interfaces once we have some running code and documentation.
 
Sincerely,
Dave
 
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Wednesday, May 02, 2012 7:57 PM
To: [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
 
Hi David,

Will this project include a reference client implementation?  Will your team be seeking comments on the REST and SOAP interfaces?

Regards,
--David Solin

On 5/2/2012 6:34 PM, Michael Hammer wrote:
David,
 
Is there any IPR associated with this?
 
Mike
 
 
From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A.
Sent: Wednesday, May 02, 2012 5:34 PM
To: OVAL Developer List (Closed Public Discussion); [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
 
With some of the current email discussion, I’d like to provide a brief update on some projects my team has been working on in this area.  We are currently working on the following activities:
 
1)     Prototyping a federated, generalized XML-based content repository approach.  The current effort is using a metamodel to describe the key objects (called “entities”) in an XML model and the content references (called “relationships”) that exist within an XML document.  We have developed a shredder that reads in an XML instance, breaking down the entities and relationships.  It then persists the XML chunks in an XML database and the entity and relationship information in a non-relational RDF database.  We can also request the content back out of the datastore and reconstitute it.  The approach we are using does not perturb the underlying XML infoset, so signatures can be verified for content retrieved out of the repository.
 
We are currently working on web service (SOAP and REST) interfaces and a generalized query language.  Our current development phase will end in the next couple months.  We hope to have a downloadable demo available before Security Automation Developer Days in early July that will support requesting an SCAP datastream or a collection of OVAL/OCIL definitions (and related components) by identifier and version.
 
We are avoiding the registration problem by extracting a DNS name out of the content identifier. 
 
For example the content referenced by:
 
oval:org.mitre.oval:def:1
 
Can be retrieved by the content server “oval.mitre.org”.
 
The plan is to use this to lookup a DNS SRV record (RFC 2782) to locate the repository that is responsible for the content identified.  This can be used to dynamically retrieve the referenced content.  We are just starting to work out an XML format for repository-to-repository information exchange to enable this communication.
 
At this point our current repository code is not far from replacing the data backend that is used for the OVAL repository.  The cool thing about the overall approach is that no OVAL specific code is necessary.  We have created XML-based shredding rules for SCAP datastream, OVAL 5.10.1 and XCCDF 1.2 formats.  It is fairly trivial to create new shredding rules for additional models.
 
You can review the code at:
 
 
Most of our work is being done in the SVN branch:
 
 
The documentation is very sparse and the code needs some cleanup.  We plan to work on this in the near future.  Our long-term goal is to provide a freely available, production capable content repository server that can participate in a federated network of content servers.
 
2)     We have also been working on a content repository specification.  The goal for this document is to describe the overall federation approach and to detail the data exchange models, interfaces and transports needed to support interoperability.  I plan to have a draft of this specification ready in September.  I would be happy to submit this as an individual submission to the IETF when it is more complete.
 
My hope is that this work will address many of the communities challenges in this area.  I’d appreciate any thoughts or feedback on this overall approach.  Please let me know if you have any questions.  I have also requested a session at the Security Automation Developer Days hosted by MITRE in early July to review and discuss this work in greater detail.
 
Sincerely,
Dave Waltermire
 
From: Kent Landfield [hidden email] 
Sent: Saturday, April 28, 2012 6:17 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
 
;-)
 
As was properly pointed out to me …there was a typo in my message…
 
"This is one of the topics I would like to see developed on the SCAM list."
 
Should have been…
 
This is one of the topics I would like to see developed on the SACM list.
 
;-)
 
Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com
 
From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
 
This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.
 
Couple links to past presentations.
 
 
 
 
There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 
 
This is one of the topics I would like to see developed on the SCAM list.
 
Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com
 
From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java
 
We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:
You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.
 
It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.
 
-ln
 
 
 
On Apr 27, 2012, at 5:39 PM, David Solin wrote:

 

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:
Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
 
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
 
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].



_______________________________________________
sacm mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/sacm

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

_______________________________________________
sacm mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/sacm

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

Waltermire, David A.
<base href="x-msg://3096/">

Yes.  It can store and exchange any XML based information.  Our approach works well for querying information that changes fairly infrequently and has associated persistent identifiers (e.g. security automation content).  For more dynamic information like reports, the methodology used by the content repository might not be well suited.  I see content repositories less as a silver bullet for this use case, but more as another tool in our tool belt for dealing with this use case.

 

Sincerely,

Dave

 

From: Luis Nunez [mailto:[hidden email]]
Sent: Thursday, May 03, 2012 12:57 PM
To: Waltermire, David A.
Cc: David Solin; [hidden email]; OVAL Developer List (Closed Public Discussion) ([hidden email])
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

Hi Dave,

Thanks for the update on the prototype repository.  Does this effort fall into the use case:

 "3.4.  UC4: Secure Exchange of Governance, Risk and Compliance (GRC) Information

 

   Sharing security and/or operationally relevant information within and

   across trust boundaries using secure, automated communication

   channels and formats."

 

I see this prototype as a building block in achieving this use case.  

 

What do others think.

 

 

-ln

 

On May 3, 2012, at 9:35 AM, Waltermire, David A. wrote:



Yes.  We plan to provide a Java client resolver API and a command line utility similar to DNS.  We will also be seeking comments on the service interfaces once we have some running code and documentation.

 

Sincerely,

Dave

 

From: [hidden email] [hidden email] On Behalf Of David Solin
Sent: Wednesday, May 02, 2012 7:57 PM
To: [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

Hi David,

Will this project include a reference client implementation?  Will your team be seeking comments on the REST and SOAP interfaces?

Regards,
--David Solin

On 5/2/2012 6:34 PM, Michael Hammer wrote:

David,

 

Is there any IPR associated with this?

 

Mike

 

 

From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A.
Sent: Wednesday, May 02, 2012 5:34 PM
To: OVAL Developer List (Closed Public Discussion); [hidden email]
Subject: Re: [sacm] [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

With some of the current email discussion, I’d like to provide a brief update on some projects my team has been working on in this area.  We are currently working on the following activities:

 

1)     Prototyping a federated, generalized XML-based content repository approach.  The current effort is using a metamodel to describe the key objects (called “entities”) in an XML model and the content references (called “relationships”) that exist within an XML document.  We have developed a shredder that reads in an XML instance, breaking down the entities and relationships.  It then persists the XML chunks in an XML database and the entity and relationship information in a non-relational RDF database.  We can also request the content back out of the datastore and reconstitute it.  The approach we are using does not perturb the underlying XML infoset, so signatures can be verified for content retrieved out of the repository.

 

We are currently working on web service (SOAP and REST) interfaces and a generalized query language.  Our current development phase will end in the next couple months.  We hope to have a downloadable demo available before Security Automation Developer Days in early July that will support requesting an SCAP datastream or a collection of OVAL/OCIL definitions (and related components) by identifier and version.

 

We are avoiding the registration problem by extracting a DNS name out of the content identifier. 

 

For example the content referenced by:

 

oval:org.mitre.oval:def:1

 

Can be retrieved by the content server “oval.mitre.org”.

 

The plan is to use this to lookup a DNS SRV record (RFC 2782) to locate the repository that is responsible for the content identified.  This can be used to dynamically retrieve the referenced content.  We are just starting to work out an XML format for repository-to-repository information exchange to enable this communication.

 

At this point our current repository code is not far from replacing the data backend that is used for the OVAL repository.  The cool thing about the overall approach is that no OVAL specific code is necessary.  We have created XML-based shredding rules for SCAP datastream, OVAL 5.10.1 and XCCDF 1.2 formats.  It is fairly trivial to create new shredding rules for additional models.

 

You can review the code at:

 

 

Most of our work is being done in the SVN branch:

 

 

The documentation is very sparse and the code needs some cleanup.  We plan to work on this in the near future.  Our long-term goal is to provide a freely available, production capable content repository server that can participate in a federated network of content servers.

 

2)     We have also been working on a content repository specification.  The goal for this document is to describe the overall federation approach and to detail the data exchange models, interfaces and transports needed to support interoperability.  I plan to have a draft of this specification ready in September.  I would be happy to submit this as an individual submission to the IETF when it is more complete.

 

My hope is that this work will address many of the communities challenges in this area.  I’d appreciate any thoughts or feedback on this overall approach.  Please let me know if you have any questions.  I have also requested a session at the Security Automation Developer Days hosted by MITRE in early July to review and discuss this work in greater detail.

 

Sincerely,

Dave Waltermire

 

From: Kent Landfield [hidden email] 
Sent: Saturday, April 28, 2012 6:17 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

;-)

 

As was properly pointed out to me …there was a typo in my message…

 

"This is one of the topics I would like to see developed on the SCAM list."

 

Should have been…

 

This is one of the topics I would like to see developed on the SACM list.

 

;-)

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: <Landfield>, Kent Landfield <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

This has been discussed at the last two ITSAC conference and the Winter Developer Days last year.  Discussions have been had around the needs on the SACM list as well.   This is an effort to get a standard means for distributing SCAP related content within an organization and as a potentially federated means of managing content developed by guidance authors such as CIS, NIST, other government entities and industry verticals.

 

Couple links to past presentations.

 

 

 

 

There was also a presentation that Adam Montville prepared for the IETF SACM Side meeting. They are available in the zip file of the presentations located in http://www.ietf.org/mail-archive/web/sacm/current/msg00178.html 

 

This is one of the topics I would like to see developed on the SCAM list.

 

Kent Landfield
Director Content Strategy, Architecture and Standards

McAfee | An Intel Company
5000 Headquarters Dr.
Plano, Texas 75024

Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: David Solin <[hidden email]>
Reply-To: "OVAL Developer List (Closed Public Discussion)" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [OVAL-DEVELOPER-LIST] Access Vulnerability Database with Java

 

We'd certainly be interested in implementing any such standard.  Can you point me to who's actively discussing it?  Does MITRE intend to support any standard approaches to repository access?

Regards,
--David

On 4/28/2012 6:56 AM, Luis Nunez wrote:

You know there is talk of producing a standard spec (sacm) to do something like this.  I know we are busy but something to think about.

 

It would be cool to joval be able to directly query and pull down content directly from SecPod and other repositories in a common way.

 

-ln

 

 

 

On Apr 27, 2012, at 5:39 PM, David Solin wrote:

 

jOVAL provides a ready-to-use JAXB data model for the OVAL language, various utility classes, and of course, an evaluation engine and scan plug-ins.  It does not, however, implement access to any on-line repositories.

Feel free to contact me directly if you have any questions.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download


On 4/27/2012 8:48 AM, vulists wrote:

Hi There,
 
I'm looking for a way to access a Vulnerability Database with Java.
 
At the moment I'm not 100% sure if its gonna be OpenVAS or something
else, like e.g. OVAL.
 
I wanted to ask, if somebody knows some ready-to-use Java API to access
"one of those" Vulnerability Databases.
 
If thats not the case, does it mean I have to implement my own XML
Parser to get the vulnerability data into my database?
 
What about standard formats?
 
 
Thanks and kind regards
 
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].





_______________________________________________
sacm mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/sacm

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

_______________________________________________
sacm mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/sacm