Re: Decoupling does not mean n o reusing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Decoupling does not mean n o reusing

Wolfkiel, Joseph
For the record, I like ORML (Open Remediation and Modification Language).
The "remediation" implies the ability to react to vulnerabilities or weak
settings (remedy), while the "modification" implies that the ability to
impose modifications independent of discovered state (e.g. allow for FDCC
settings that are not vulnerability related, such as automatic shutoff).  It
is also pronounceable -- like a name you'd find on a can of chili.

As an aside, it's probably time to give up on getting everyone to pronounce
SCAP as "ess-cap."  Might as well pronounce it like it's spelled.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Quilter, Alex [mailto:[hidden email]]
Sent: Monday, July 07, 2008 12:00 PM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean
no reusing


Why not pull the V out; it is fairly clear that the scope of these
discussions is strongly diverging from the scoping provided by
"vulnerability" to generic actions on target platforms.  This is probably
true of OVAL at this point as well. (open assessment language)

I think remediation makes sense for the vulnerability context; I think
modification makes sense for the generic purpose.

I have the same issue with SCAP (is the "S" really for "security" or is it
for "system").

I have a feeling that most people on in this discussion are not specifically
limited in thinking about security or vulnerability but to system and state
change.

To me, the focus on vulnerability and security has been important, and the
farther remediation moves away from vulnerability the less focused the
requirements become around vulnerability.

If we want general purpose open languages for state assessment and state
change, then that is fine; however, even in this case why would there be a
different language for assessment (RO) and change (RW)?

Anyway...

-ALX

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Monday, July 07, 2008 10:24 AM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean no
reusing

Thanks Vladimir,

This is the type of discussion that I would have expected.  This was
also the approach that I thought we came out of Developer Days with.
The OVML/OVRL needs to be an integral part of the SCAP component
standards suite and as such should be able to use the other component
standards for including references and checking state dependencies,
remediation success/failure, etc.  This also allows OVRL/OVML to become
a building block standard just as all the others are. There is no reason
to change a successful architectural model now.

Also, on a non-important note...  What is it?

OVRL - Open Vulnerability Remediation Language
OVML - Open Vulnerability Modification Language

??

NIST has it as OVRL on their web site.

Like I said, not really important. Neither are too easy to pronounce...
;-)

--
Kent Landfield
Director, Risk and Compliance Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 214.385.1138 Mobile
[hidden email]
www.mcafee.com


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Monday, July 07, 2008 8:28 AM
To: [hidden email]
Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean no
reusing

Hello all,

Looking for a compromise, I see that we are not that far from each
other.

Where will the remediation content live?

As I see it, it is part of the SCAP data stream.  Another file(set) that
can
be referenced in the XCCDF makes the most sense.  This content already
is
much more than one file.  Remediation should start at the Rule.  It sort
of
does now, but seriously, it should start there more legitimately.  For
those
that want one file, they can probably inline the OVAL and ORML right
into
the XCCDF.  I am guessing no one will actually do that.

Should ORML reuse OVAL?

It will need to reuse a checking system for sure.  Since OVAL is the
SCAP
preferred checking system, it will reuse it (by convention).  OVAL
should
not be so closely coupled as to disallow other checking systems though.
It
should have the same flexibility as XCCDF.  Decoupling allows the
languages
to mature independently.  So a precondition check and post condition
check
that would look like XCCDF checks could use OVAL but would not be
restricted
to that checking system.

How can they be separate?

Why can't we add the ability to reference OVAL ids that live in other
files
the way XCCDF does?  This would also be useful with integrating CPE with
OVAL.  Once the ability exists, we can by convention (or officially)
keep
the remediation content separate and still reuse OVAL definitions,
tests,
etc.

Is referring to an OVAL test OK?

We said no at developer days, but we also said it was a convention and
nothing can stop someone outside OVAL from doing so.  I am of the
opinion
that duplicating the data (e.g. test) in the ORML and OVAL is worse than
keeping OVAL's interface only definitions.

The fireworks are exciting.  Though I look forward to a quick solution.

Best regards,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
Reply | Threaded
Open this post in threaded view
|

Re: Decoupling does not mean n o reusing

Kent Landfield
Pronounced "or MuL" ?  Close to normal. :-)  This makes sense to me and
does a better job of indicating what its intentions are.

--
Kent Landfield
Director, Risk and Compliance Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 214.385.1138 Mobile
[hidden email]
www.mcafee.com
 

-----Original Message-----
From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Monday, July 07, 2008 1:14 PM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean
n o reusing

For the record, I like ORML (Open Remediation and Modification
Language).
The "remediation" implies the ability to react to vulnerabilities or
weak
settings (remedy), while the "modification" implies that the ability to
impose modifications independent of discovered state (e.g. allow for
FDCC
settings that are not vulnerability related, such as automatic shutoff).
It
is also pronounceable -- like a name you'd find on a can of chili.

As an aside, it's probably time to give up on getting everyone to
pronounce
SCAP as "ess-cap."  Might as well pronounce it like it's spelled.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T)
Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Quilter, Alex [mailto:[hidden email]]
Sent: Monday, July 07, 2008 12:00 PM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean
no reusing


Why not pull the V out; it is fairly clear that the scope of these
discussions is strongly diverging from the scoping provided by
"vulnerability" to generic actions on target platforms.  This is
probably
true of OVAL at this point as well. (open assessment language)

I think remediation makes sense for the vulnerability context; I think
modification makes sense for the generic purpose.

I have the same issue with SCAP (is the "S" really for "security" or is
it
for "system").

I have a feeling that most people on in this discussion are not
specifically
limited in thinking about security or vulnerability but to system and
state
change.

To me, the focus on vulnerability and security has been important, and
the
farther remediation moves away from vulnerability the less focused the
requirements become around vulnerability.

If we want general purpose open languages for state assessment and state
change, then that is fine; however, even in this case why would there be
a
different language for assessment (RO) and change (RW)?

Anyway...

-ALX

-----Original Message-----
From: Kent Landfield [mailto:[hidden email]]
Sent: Monday, July 07, 2008 10:24 AM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean
no
reusing

Thanks Vladimir,

This is the type of discussion that I would have expected.  This was
also the approach that I thought we came out of Developer Days with.
The OVML/OVRL needs to be an integral part of the SCAP component
standards suite and as such should be able to use the other component
standards for including references and checking state dependencies,
remediation success/failure, etc.  This also allows OVRL/OVML to become
a building block standard just as all the others are. There is no reason
to change a successful architectural model now.

Also, on a non-important note...  What is it?

OVRL - Open Vulnerability Remediation Language
OVML - Open Vulnerability Modification Language

??

NIST has it as OVRL on their web site.

Like I said, not really important. Neither are too easy to pronounce...
;-)

--
Kent Landfield
Director, Risk and Compliance Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 214.385.1138 Mobile
[hidden email]
www.mcafee.com


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Monday, July 07, 2008 8:28 AM
To: [hidden email]
Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] Decoupling does not mean no
reusing

Hello all,

Looking for a compromise, I see that we are not that far from each
other.

Where will the remediation content live?

As I see it, it is part of the SCAP data stream.  Another file(set) that
can
be referenced in the XCCDF makes the most sense.  This content already
is
much more than one file.  Remediation should start at the Rule.  It sort
of
does now, but seriously, it should start there more legitimately.  For
those
that want one file, they can probably inline the OVAL and ORML right
into
the XCCDF.  I am guessing no one will actually do that.

Should ORML reuse OVAL?

It will need to reuse a checking system for sure.  Since OVAL is the
SCAP
preferred checking system, it will reuse it (by convention).  OVAL
should
not be so closely coupled as to disallow other checking systems though.
It
should have the same flexibility as XCCDF.  Decoupling allows the
languages
to mature independently.  So a precondition check and post condition
check
that would look like XCCDF checks could use OVAL but would not be
restricted
to that checking system.

How can they be separate?

Why can't we add the ability to reference OVAL ids that live in other
files
the way XCCDF does?  This would also be useful with integrating CPE with
OVAL.  Once the ability exists, we can by convention (or officially)
keep
the remediation content separate and still reuse OVAL definitions,
tests,
etc.

Is referring to an OVAL test OK?

We said no at developer days, but we also said it was a convention and
nothing can stop someone outside OVAL from doing so.  I am of the
opinion
that duplicating the data (e.g. test) in the ORML and OVAL is worse than
keeping OVAL's interface only definitions.

The fireworks are exciting.  Though I look forward to a quick solution.

Best regards,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959