Quantcast

FEEDBACK REQUESTED: OVAL Content Development Process and Tools

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FEEDBACK REQUESTED: OVAL Content Development Process and Tools

bakerj
Administrator
As the OVAL Moderator, MITRE is would like to better understand the current OVAL Content development practices and any challenges that the community faces. We have put together the following questions to gather information about how the community is developing content and what tools are being used for content development. Please take a few minutes to help us understand your process and any challenges you face in developing OVAL Content.

*** We do not intend to share the responses publicly and will only use your responses to help us focus our efforts as we look for opportunities to assist in OVAL Content development practices. In order to ensure that your responses are not public, please send all responses to [hidden email] ****

-------------------------------------------------------
Developing new Content
-------------------------------------------------------
- When developing new OVAL Content what tools do you use?

- What aspects of your OVAL Content development process are manual?

- What aspects of your OVAL Content development process are automated?

- What types of capabilities are lacking currently for developing new OVAL Content?

- What aspects of the content development are particularly difficult?


-------------------------------------------------------
Updating and Maintaining Content
-------------------------------------------------------
- When updating and maintaining OVAL Content what tools do you use?

- What aspects of your OVAL Content development process are manual?

- What aspects of your OVAL Content development process are automated?

- What types of capabilities are lacking currently for editing OVAL Content?

- What aspects of the content maintenance are particularly difficult?


-------------------------------------------------------
General
-------------------------------------------------------
- What platforms do you develop OVAL Content for?

- How do you research information for OVAL Definitions?

- What sources do you find useful for creating OVAL Definitions?

- Are there things that the sources (Microsoft, Red Hat, NIST (USGCB/FDCC), DISA (STIGS) , etc.) could do to make content creation easier?

- What could MITRE could do to make content creation easier?

- Are there things that MITRE could do to reduce the content development effort (tool development, changes to the oval repository, other ideas)?

- Do you have any additional thoughts on how we could assist the community or simplify your process?

-------------------------------------------------------

Please also let us know if you have any additional comments or ideas about how we could help reduce OVAL Content development and maintenance efforts.

Thank you in advance for your feedback,

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FEEDBACK REQUESTED: OVAL Content Development Process and Tools

bakerj
Administrator
I just noticed a typo in my message below. Please direct all responses to [hidden email].

Thanks,

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Baker, Jon [mailto:[hidden email]]
>Sent: Tuesday, January 10, 2012 7:16 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] FEEDBACK REQUESTED: OVAL Content
>Development Process and Tools
>
>As the OVAL Moderator, MITRE is would like to better understand the current
>OVAL Content development practices and any challenges that the community
>faces. We have put together the following questions to gather information
>about how the community is developing content and what tools are being
>used for content development. Please take a few minutes to help us
>understand your process and any challenges you face in developing OVAL
>Content.
>
>*** We do not intend to share the responses publicly and will only use your
>responses to help us focus our efforts as we look for opportunities to assist in
>OVAL Content development practices. In order to ensure that your responses
>are not public, please send all responses to [hidden email] ****
>
>-------------------------------------------------------
>Developing new Content
>-------------------------------------------------------
>- When developing new OVAL Content what tools do you use?
>
>- What aspects of your OVAL Content development process are manual?
>
>- What aspects of your OVAL Content development process are automated?
>
>- What types of capabilities are lacking currently for developing new OVAL
>Content?
>
>- What aspects of the content development are particularly difficult?
>
>
>-------------------------------------------------------
>Updating and Maintaining Content
>-------------------------------------------------------
>- When updating and maintaining OVAL Content what tools do you use?
>
>- What aspects of your OVAL Content development process are manual?
>
>- What aspects of your OVAL Content development process are automated?
>
>- What types of capabilities are lacking currently for editing OVAL Content?
>
>- What aspects of the content maintenance are particularly difficult?
>
>
>-------------------------------------------------------
>General
>-------------------------------------------------------
>- What platforms do you develop OVAL Content for?
>
>- How do you research information for OVAL Definitions?
>
>- What sources do you find useful for creating OVAL Definitions?
>
>- Are there things that the sources (Microsoft, Red Hat, NIST (USGCB/FDCC),
>DISA (STIGS) , etc.) could do to make content creation easier?
>
>- What could MITRE could do to make content creation easier?
>
>- Are there things that MITRE could do to reduce the content development
>effort (tool development, changes to the oval repository, other ideas)?
>
>- Do you have any additional thoughts on how we could assist the community
>or simplify your process?
>
>-------------------------------------------------------
>
>Please also let us know if you have any additional comments or ideas about
>how we could help reduce OVAL Content development and maintenance
>efforts.
>
>Thank you in advance for your feedback,
>
>Jon
>
>============================================
>Jonathan O. Baker
>G022 - IA Industry Collaboration
>The MITRE Corporation
>Email: [hidden email]
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FEEDBACK REQUESTED: OVAL Content Development Process and Tools

Hansbury, Matt
In reply to this post by bakerj
All,

Thank you to all of those that responded to our content authoring survey.  We wanted to provide you a high level summary of the types of feedback we received, as well as responses from the team where appropriate.  Here are the major themes we saw:

*              There is no commonly used solution to all content development tasks. As a result most people use a wide variety of tools including: eSCAPe, notepad++, XmlSpy, Oxygen, notepad, and emacs.
*              Due to the volume of OVAL Content it is becoming increasingly difficult to manually edit content. Sometime you need to work across large sets of content.
MITRE:  We are working on building additional capabilities to aid with this.  These tools will include a simple XSL-based viewer that will allow a simpler way to navigate through OVAL items in an arbitrary OVAL file, as well as easier ways to view and locate the content required.  
*              More often than not, content developers resort to manual xml authoring.
*              A capability that auto generated and managed comments would be helpful.
MITRE:  For the OVAL Repository content, this actually does happen to some degree.  For example, if a Definition extends another Definition, the comment on the extend_definition element is auto-corrected to be the title of the extended Definition.  Additional capabilities can be added to the OVAL Repository to help with this.  We need only to agree as a group what the rules would be and when the auto-generation would occur.  For reference see: http://making-security-measurable.1364806.n2.nabble.com/What-should-be-in-a-comment-td6200406.html#a6203955.  Additionally, we have added a tracker in the OVAL Utilities to create a tool for helping with this:  https://sourceforge.net/tracker/?func=detail&aid=3483900&group_id=254396&atid=1127140.
*              The OVAL Language sandbox concept is desirable for content authors to allow them to experiment with new language constructs.
MITRE:  This is currently being developed by the MITRE team.  
*              Unauthenticated assessments with OVAL should be considered.
MITRE:  This request can be explored within the OVAL Sandbox, once that capability in completed.
*              Scripting in OVAL should be considered.
MITRE:  This is dependent on the creation of the OVAL Language Sandbox.  Once established, we will develop a scripting proposal and work with the community to investigate the idea of utilizing scripting in OVAL.
*              An OVAL content merge capability is needed.
MITRE:  This type of tool already exists in the OVAL Utilities project.  See:  http://sourceforge.net/projects/ovalutils/files/oval_merge/
*              OVALDI is used for testing and it presents challenges when it does not support all test types.
MITRE: The OVAL Interpreter is a freely available reference implementation that demonstrates the evaluation of OVAL Content, serves as a reference for tool vendors, and ensures correct adherence to the OVAL Language by content authors.  It was not intended to support the entire OVAL Language.  However, if you would like to see specific capabilities implemented, please let us know.  We are very willing to adjust priorities based on the needs of the community.
*              ID management and reference handling is challenging.
*              Maintaining version numbers properly is a manually intensive, error prone process.
MITRE:  The MITRE team agrees with this, versioning can be challenging.   For the OVAL Repository, the tools attempt to do most of the work in this regards for this reason.  Authors need only be concerned with versions for new items (must be '0').  Any existing ones are managed by the tools.  
*              Cascading deletes are cumbersome.
MITRE:  For the OVAL Repository, our internal tools have some capabilities for deleting and/or deprecating content.  It does handle the cascading delete case.  If content needs to be removed or simply deprecated, an email to the oval-discussion-list can be sent to notify the team of this.  The tools will then be used to handle this action.  We have also created a tracker to provide a tool that will do cascading deletes on an arbitrary OVAL file:  https://sourceforge.net/tracker/?func=detail&aid=3483906&group_id=254396&atid=1127140
*              A tree view of an OVAL definition document that represented the references would be helpful.
MITRE:  The team is creating the above referenced XSL-based viewer, which will help with this.  It may be expanded over time to provide this tree-like structure.
*              Examples of each test are needed.
MITRE:  The test content can provide some of this.  See: http://oval.mitre.org/repository/about/testcontent.html.  If you would like to see specific test content, please let us know.  We are very willing to adjust priorities based on the needs of the community.
*              Content development best practices are needed.
MITRE:  We have added a tracker item to address this.  We will work on a proposal for this as soon as we are able.
*              Process OVAL Repository submissions faster.
MITRE:  The team attempts to balance quick submission processing and allowing time for community feedback.  At times, submissions are altered or even scrapped before they are ever processed due to community feedback.  Quicker processing time would limit the opportunity for this exchange.  That said, we are working on upgrading our tools to better handle large submissions, such that they can be turned around faster.
*              Make previous versions of items in the repository available.
MITRE:  The team is aware of this issue and is investigating how such a requirement would work.
* Users need to be able to pick and choose items for download as one combined set from the OVAL Repository.
MITRE:  This feature request has been made in the past.  We have moved up the priority on such a feature and will attempt to work it into the Repository tools as soon as we are able.
*              An interface to identify all OVAL Definitions, Tests, Objects, States, and Variables that have changed over a period of time is needed.
MITRE:  This feature request has been added to our tracking system.  Again, we will try to work it in as soon as we can into the OVAL Repository tools.
*              Simplify linking OVAL to XCCDF.
MITRE:  The OVAL Team is aware of some difficulties here and will work with the XCCDF team to try and remediate these.  Additionally, the SCAP Validation tool will help identify some of the potential linking issues: http://scap.nist.gov/revision/1.1/index.html#tools
*              OVALDI needs to support windows_view attribute to allow the community to employ this new language capability.
MITRE: We have added a tracker item for this and will address it as soon as we can.
*              More clarity on MITRE position around major content cleanup activities in the repository is needed.
MITRE:  We are aware of some things in the Repository that could use some attention to make them more consistent and generally "cleaner".  We try to prioritize things appropriately, but make our best effort to take these types of tasks on as we are able.  Please let us know if there are specific content issues that you are aware of and we will work with the community to ensure that they are addressed in a timely manner.
*              OVAL is depend upon the other security automation efforts and should be more closely engaged with them.
MITRE:  We try to investigate and understand other relevant security automation efforts and participate in them where appropriate. As a community, you can help us to ensure that we are both aware of other efforts and that the communities supporting those efforts understand OVAL and any possible connections there may be with OVAL.
*              Investigate the Threat/Malware use case and support it well. OVAL should be the host based assessment platform.
MITRE:  The MITRE team is currently working on how this can be accomplished.  This case is dependent on the OVAL Language Sandbox, so that this work can be developed.  Additionally, the team plans on discussing this at the next Software Assurance Working Group in March: https://buildsecurityin.us-cert.gov/bsi/events/1293-BSI.html

 Again, a big thank you to all of those that participated with this survey.  Please let us know if we are missing any central themes that you had wanted to impart upon us or if you have any questions.

Thanks
Matt


-----Original Message-----
From: Baker, Jon [mailto:[hidden email]]
Sent: Tuesday, January 10, 2012 7:16 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: [OVAL-DEVELOPER-LIST] FEEDBACK REQUESTED: OVAL Content Development Process and Tools

As the OVAL Moderator, MITRE is would like to better understand the current OVAL Content development practices and any challenges that the community faces. We have put together the following questions to gather information about how the community is developing content and what tools are being used for content development. Please take a few minutes to help us understand your process and any challenges you face in developing OVAL Content.

*** We do not intend to share the responses publicly and will only use your responses to help us focus our efforts as we look for opportunities to assist in OVAL Content development practices. In order to ensure that your responses are not public, please send all responses to [hidden email] ****

-------------------------------------------------------
Developing new Content
-------------------------------------------------------
- When developing new OVAL Content what tools do you use?

- What aspects of your OVAL Content development process are manual?

- What aspects of your OVAL Content development process are automated?

- What types of capabilities are lacking currently for developing new OVAL Content?

- What aspects of the content development are particularly difficult?


-------------------------------------------------------
Updating and Maintaining Content
-------------------------------------------------------
- When updating and maintaining OVAL Content what tools do you use?

- What aspects of your OVAL Content development process are manual?

- What aspects of your OVAL Content development process are automated?

- What types of capabilities are lacking currently for editing OVAL Content?

- What aspects of the content maintenance are particularly difficult?


-------------------------------------------------------
General
-------------------------------------------------------
- What platforms do you develop OVAL Content for?

- How do you research information for OVAL Definitions?

- What sources do you find useful for creating OVAL Definitions?

- Are there things that the sources (Microsoft, Red Hat, NIST (USGCB/FDCC), DISA (STIGS) , etc.) could do to make content creation easier?

- What could MITRE could do to make content creation easier?

- Are there things that MITRE could do to reduce the content development effort (tool development, changes to the oval repository, other ideas)?

- Do you have any additional thoughts on how we could assist the community or simplify your process?

-------------------------------------------------------

Please also let us know if you have any additional comments or ideas about how we could help reduce OVAL Content development and maintenance efforts.

Thank you in advance for your feedback,

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Loading...