Security Automation Developer Days - June 14-16

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Automation Developer Days - June 14-16

Boczenowski, Steve

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Ernest Park-2
I find it disappointing that you make no effort to support remote attendance for these meetings.

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.



Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 


Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Jon Baker
Administrator

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Ernest Park-2
Jon - 


Having been at a few of these sessions, what I want a recap of, posted herein, is the open items over the last few years, action taken, and things outstanding.

Show us as a community that this project is alive.

Why not post the project, maintainers, open issues with assignments on an open project hosting site - Sourceforge, Google, etc?


There are still a substantial number of "sticking issues". How about a public bug list with status and assignment? Let us see the associated workflows to SCAP. Maybe we can help.

We are being asked to contribute to, support, and endorse an open  concept that is more of a black box. I have to travel to MA to get status updates and participate in project meetings. In the days of high speed connectivity, it seems like we are not embracing the technology that we intend to automate and manage.



Ernie

On Wed, Mar 31, 2010 at 1:38 PM, Baker, Jon <[hidden email]> wrote:

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 


Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Boczenowski, Steve

Ernie;

 

Based upon years of experience with these events, we find that these sessions are much more productive when we limit them to “live” attendees.

 

As for status updates, did you see Brant Cheikes report of minutes from the last Developer Days workshop in February and his subsequent message “Objectives for CPE v2.3”?  (Both of those message are attached to this message.)  Were they not sufficient?

Steve

 

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 2:05 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

Jon - 

 

 

Having been at a few of these sessions, what I want a recap of, posted herein, is the open items over the last few years, action taken, and things outstanding.

 

Show us as a community that this project is alive.

 

Why not post the project, maintainers, open issues with assignments on an open project hosting site - Sourceforge, Google, etc?

 

 

There are still a substantial number of "sticking issues". How about a public bug list with status and assignment? Let us see the associated workflows to SCAP. Maybe we can help.

 

We are being asked to contribute to, support, and endorse an open  concept that is more of a black box. I have to travel to MA to get status updates and participate in project meetings. In the days of high speed connectivity, it seems like we are not embracing the technology that we intend to automate and manage.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 1:38 PM, Baker, Jon <[hidden email]> wrote:

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 

 


CPE Community,

 

Attached please find the notes from the 22 Feb 2010 CPE workshop.  Please feel free to send corrections/clarifications etc. either to the list or just to me, and we’ll collect them into an errata sheet.

 

Within a few days I’ll circulate some specific thoughts on what we can accomplish (and how) over the next 3-4 months to achieve an improved, usable version 2.3 of the CPE specification.

 

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 


CPE Community,

 

We want to thank those of you who participated in the CPE Developer Days Workshop on February 22 and those who completed the CPE Stakeholder Survey. Your contribution was invaluable in determining how CPE can better meet the needs of the community. CPE will be a better standard in the near future thanks to your efforts. The CPE Workshop was the beginning of a fresh approach for CPE development in which the community will actively drive the development of the standard with the Core Team’s support and guidance. The CPE technical working groups (TWGs) will be a key part of this community-driven approach. More information about the CPE TWGs is coming soon. For those of you who could not participate in the CPE Developer Days Workshop, the minutes and slides are posted at: http://measurablesecurity.mitre.org/participation/devdays.html

 

Today, we would like to share our thoughts with you regarding near term goals for achieving an improved, more usable version 2.3 of the CPE specification. These goals are wholly based on CPE community needs and proposed solutions that were collected from the CPE Developer Days Workshop, the CPE Stakeholder Survey, community contributions to the CPE Discussion list, and CPE stakeholder interviews. We want you to know that we are listening and we intend to take quick action to improve the utility and usability of CPE in the near future. Our immediate goal is to release a candidate 2.3 specification to be included in the next release of SCAP. This means that the specification must be in its final form by July 31, 2010. The development of CPE 2.3 will be an interactive, community-driven activity in which we will be soliciting the community’s advice early and often.

 

While we have an aggressive plan for an intense round of rapid improvement, this is a time-constrained activity with limited resources. Therefore the goal is to implement as many of the proposed changes as possible in the time allowed. The unordered list of candidate changes for CPE version 2.3 is:

 

1.   Remove the prefix property;

2.   Remove the requirements that CPE names be encoded and exchanged as URIs;

3.   Add support for distinct namespaces;

4.   Provide at least partial support for an extensible vocabulary of tags;

5.   Revise the matching algorithm;

6.   Divide the specification into a set of modular related specifications. Proposed division boundaries include: a naming specification, the CPE dictionary specification, CPE matching specification, CPE language specification, and possibly also a high level common umbrella specification.

 

While there are other proposed changes that are equally valid and important, these changes were chosen for the following reasons:

 

1.   They were widely requested;

2.   We believe we can implement them without breaking backward compatibility with v2.2;

3.   They have the potential to be implemented in the limited time available.

 

It is important to understand that this message is not a promise to achieve all of these goals. Rather, we intend to achieve as many as possible within the given timeframe and with the available resources. Our success is partly dependent on community participation. You will have many opportunities to participate in the development of CPE, including participation on the Core Team and TWGs as well as direct contribution to specification development. The future of CPE will be what you make it, so please contribute as much as you are able with the understanding that we will all benefit from the result.

 

The Core Team is currently working hard to outline a process and major milestones for producing CPE version 2.3. We will be sharing that information with you sometime next week.

 

Thanks again for helping to make CPE a better standard.

 

Best regards,

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 


CPE_Developer_Days_Winter_2010_Workshop_Minutes_Final.docx (90K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Brant Cheikes

I understand and am very sympathetic with Ernie’s point of view, at least regarding CPE.  I’m well aware there’s a well-founded perception that the CPE standard isn’t improving, either at the rate or in the direction(s) that people desire.  But I can assure everyone that the lack of traffic on the cpe-list is not due to any lack of activity behind the scenes.

 

We are struggling to find a balance among different forces which want different changes at different rates.  At the most recent CPE Workshop, I suggested that our current strategy has two parts: (1) to prepare a v2.3 release of the CPE specification which fixes and improves what we can, while preserving backward compatibility with v2.2, and (2) map out a path to v3.0 which “gets it right” (or at least “righter”) at the cost of breaking backward compatibility.  We’re still pursuing that strategy.

 

The recent Workshop was very helpful in informing our plans for v2.3.  At the moment, the CPE Core Team is trying to work out a high-level outline, and I hope to have news to share with the community soon.  The decision making is being guided by community input, but also by cold-eyed assessments of how much time we have to do the work (determined by the SCAP lifecycle), what resources are available to get the work done, and what NIST is able to implement and support on the dictionary content-management side.  Everyone needs to understand that CPE isn’t being developed in isolation giving us the discretion to make whatever changes we want on whatever timetable we want.

 

I expect that this community will see more evidence of movement and change over the coming weeks, and there will be more opportunities for involvement in participation.  We needed to schedule the next Developer Days now, to get it on everyone’s calendar, even though I know (for CPE) it’s not clear what we will have accomplished by then.  I hope that by the end of April there will be greater optimism regarding CPE’s future, and less questioning of the value of attending Developer Days.

 

Cheers,

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Boczenowski, Steve [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 3:14 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

Ernie;

 

Based upon years of experience with these events, we find that these sessions are much more productive when we limit them to “live” attendees.

 

As for status updates, did you see Brant Cheikes report of minutes from the last Developer Days workshop in February and his subsequent message “Objectives for CPE v2.3”?  (Both of those message are attached to this message.)  Were they not sufficient?

Steve

 

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 2:05 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

Jon - 

 

 

Having been at a few of these sessions, what I want a recap of, posted herein, is the open items over the last few years, action taken, and things outstanding.

 

Show us as a community that this project is alive.

 

Why not post the project, maintainers, open issues with assignments on an open project hosting site - Sourceforge, Google, etc?

 

 

There are still a substantial number of "sticking issues". How about a public bug list with status and assignment? Let us see the associated workflows to SCAP. Maybe we can help.

 

We are being asked to contribute to, support, and endorse an open  concept that is more of a black box. I have to travel to MA to get status updates and participate in project meetings. In the days of high speed connectivity, it seems like we are not embracing the technology that we intend to automate and manage.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 1:38 PM, Baker, Jon <[hidden email]> wrote:

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Smith, Robert J Mr NII/DoD-CIO
In reply to this post by Jon Baker
Classification: UNCLASSIFIED

All,

The Department of Defense (DoD) IT Asset Management (ITAM) team and the
General Services Administration (GSA) Federal ITAM office teamed up on March
24th, to attend a Work Group session with TagVault and industry software
vendors to discuss the new ISO/IEC 19770-2 software identification tagging
standard and the work in progress on the 19770-3 draft defining the
structure for software entitlement tags.

ISO/IEC 19770-2 is an emerging specification for software tagging to
identify installed software. Data elements in ISO/IEC 19770-2 are consistent
with the Common Platform Enumerator (CPE) specification being developed by
the National Institute of Standards and Technology (NIST). I understand that
CPE has origins in information assurance and vulnerability databases. The
DoD ITAM was originally considering the use of CPE as a possible
authoritative source for a standard DoD software library. TagVault.org,
which is being looked at by the GSA Federal ITAM office and the SmartBuy
program office, is driving an effort to work with vendors to populate a
software library using ISO/IEC 19770-2. The Air Force is also serious about
ISO/IEC 19770-2 by making it a part of their draft NETCENTS2 contract
requirements with an effect date of Jan 2010. DoD ITAM would like to
coordinate with CPE and TagVault to promote a coordinated or unified effort.
I think both efforts are very similar and we could reap great benefits in
joining the efforts.  Why coordinate with every commercial software vendor
on zillions of product titles, vet it all through a board, develop a
database that needs to be maintained (resource intensive) and find out that
the information is or could be made available by your COTS vendors through
software identification tags?  I would hope that auto discover tool vendors
will adopt the ISO/IEC 19770-2 standard sooner than later, which will make
it easier to identify how much of what products you have by mfgr, product
date, product title, version, patch, bundle, model, etc.  Full
implementation of the standard across the DoD, GSA, and the commercial
sector is a ways off yet, but is getting a lot of attention lately,  asset
managers will reap big rewards when software vendors start adhering to the
new standard.  No doubt that compliance and audit issues will diminish over
time and maybe help us all in our security posture.
 
Another standard, ISO 19770-3, is emerging for entitlements to provide
common definitions for the intellectual property rights included in a
software license (e.g., term vs. perpetual use, single vs. multi-user
installation, authorization to install on secondary portable device). The
other working group for entitlements has formed, with the objective to
create standards for the intellectual property rights provided with software
licenses.

The DoD ITAM team plans to work with GSA and TagVault on the entitlement
effort and would like to promote a coordinated and unified effort in regard
to software identification tagging with GSA, TagVault and the CPE community.

Your thoughts and comments are welcome.


R/
Bob Smith

(703) 601-4729 ext 124
[hidden email]

-----Original Message-----
From: Baker, Jon [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 1:39 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June
14-16

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the
community is well aware of the impact of these meetings and their ongoing
contributions to OVAL. At the moment I think the opening few minutes of the
OVAL session will cover a status update and recap of the actions take since
the last OVAL developer days.

 

It should also be noted that more information and a registration form will
be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June
14-16

 

I find it disappointing that you make no effort to support remote attendance
for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to
see the action items from prior meetings and the actions taken as a result.
I am sure that we would like to see that historically our participation has
measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]>
wrote:

MITRE is pleased to announce that we will be hosting Security Automation
Days here at MITRE in Bedford, MA on June 14 - 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

                               
Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

                               
Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 


smime.p7s (16K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Boczenowski, Steve
In reply to this post by Boczenowski, Steve

Over the past few days, I have received a few inquiries about this message.

 

Some quick follow-up info:

-          The public is invited to this event,

-          There is no fee,

-          You must attend in person in Bedford, MA (i.e. no VTC or telecon)

-          We are currently working on a registration site, which we anticipate will be ready within two weeks.  We will send out an announcement when it is ready.

 

Thanks for your interest and your patience,

    Steve

 

 

 

 

From: Boczenowski, Steve
Sent: Wednesday, March 31, 2010 11:20 AM
To: 'Multiple recipients of list'; oval-discussion-list OVAL Discussion List/Closed Public Discussi; oval-developer-list OVAL Developer List/Closed Public Discussion; '[hidden email]'; cpe-discussion-list CPE Community Forum; cve-announce-list Common Vulnerabilities and Exposures/CVE Annou; cce-announce-list Common Configuration Enumeration/CCE Announcem; Multiple recipients of list
Subject: Security Automation Developer Days - June 14-16

 

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Ernest Park-2
and web access?

to registered users?




On Tue, Apr 6, 2010 at 2:41 PM, Boczenowski, Steve <[hidden email]> wrote:

Over the past few days, I have received a few inquiries about this message.

 

Some quick follow-up info:

-          The public is invited to this event,

-          There is no fee,

-          You must attend in person in Bedford, MA (i.e. no VTC or telecon)

-          We are currently working on a registration site, which we anticipate will be ready within two weeks.  We will send out an announcement when it is ready.

 

Thanks for your interest and your patience,

    Steve

 

 

 

 

From: Boczenowski, Steve
Sent: Wednesday, March 31, 2010 11:20 AM
To: 'Multiple recipients of list'; oval-discussion-list OVAL Discussion List/Closed Public Discussi; oval-developer-list OVAL Developer List/Closed Public Discussion; '[hidden email]'; cpe-discussion-list CPE Community Forum; cve-announce-list Common Vulnerabilities and Exposures/CVE Annou; cce-announce-list Common Configuration Enumeration/CCE Announcem; Multiple recipients of list
Subject: Security Automation Developer Days - June 14-16

 

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 


Reply | Threaded
Open this post in threaded view
|

Re: Security Automation Developer Days - June 14-16

Brant Cheikes
In reply to this post by Smith, Robert J Mr NII/DoD-CIO
Bob,

The ISO/IEC 19770-x family of standards, including -2 on "Software
identification tag", recently came to our attention as well, and we are
beginning to look at it closely to better understand how it and CPE relate
to one another.  We (MITRE and NIST) hope to have more to say about it in
the near future.  We'd certainly be interested in coordinating with TagVault
or others as appropriate.

My preliminary review of sections 1-3 of 19770-2 suggest that the standard
goes well beyond what CPE intended, and has a very different implementation
model that assumes vendors will adopt the standard and tag their own
products.  But I can't say I've considered the standard in detail yet, so
that's just my impression.

While we're looking at the standard ourselves, I would certainly appreciate
it if more knowledgeable members of the CPE community would share what they
know about this ISO/IEC standard.  I'd certainly like to know whether
there's an emerging consensus one way or another regarding the community's
need for a CPE standard given the publication of 19770-2.

Cheers,
/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

-----Original Message-----
From: Smith, Robert J Mr NII/DoD-CIO [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 4:09 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June
14-16

Classification: UNCLASSIFIED

All,

The Department of Defense (DoD) IT Asset Management (ITAM) team and the
General Services Administration (GSA) Federal ITAM office teamed up on March
24th, to attend a Work Group session with TagVault and industry software
vendors to discuss the new ISO/IEC 19770-2 software identification tagging
standard and the work in progress on the 19770-3 draft defining the
structure for software entitlement tags.

ISO/IEC 19770-2 is an emerging specification for software tagging to
identify installed software. Data elements in ISO/IEC 19770-2 are consistent
with the Common Platform Enumerator (CPE) specification being developed by
the National Institute of Standards and Technology (NIST). I understand that
CPE has origins in information assurance and vulnerability databases. The
DoD ITAM was originally considering the use of CPE as a possible
authoritative source for a standard DoD software library. TagVault.org,
which is being looked at by the GSA Federal ITAM office and the SmartBuy
program office, is driving an effort to work with vendors to populate a
software library using ISO/IEC 19770-2. The Air Force is also serious about
ISO/IEC 19770-2 by making it a part of their draft NETCENTS2 contract
requirements with an effect date of Jan 2010. DoD ITAM would like to
coordinate with CPE and TagVault to promote a coordinated or unified effort.
I think both efforts are very similar and we could reap great benefits in
joining the efforts.  Why coordinate with every commercial software vendor
on zillions of product titles, vet it all through a board, develop a
database that needs to be maintained (resource intensive) and find out that
the information is or could be made available by your COTS vendors through
software identification tags?  I would hope that auto discover tool vendors
will adopt the ISO/IEC 19770-2 standard sooner than later, which will make
it easier to identify how much of what products you have by mfgr, product
date, product title, version, patch, bundle, model, etc.  Full
implementation of the standard across the DoD, GSA, and the commercial
sector is a ways off yet, but is getting a lot of attention lately,  asset
managers will reap big rewards when software vendors start adhering to the
new standard.  No doubt that compliance and audit issues will diminish over
time and maybe help us all in our security posture.
 
Another standard, ISO 19770-3, is emerging for entitlements to provide
common definitions for the intellectual property rights included in a
software license (e.g., term vs. perpetual use, single vs. multi-user
installation, authorization to install on secondary portable device). The
other working group for entitlements has formed, with the objective to
create standards for the intellectual property rights provided with software
licenses.

The DoD ITAM team plans to work with GSA and TagVault on the entitlement
effort and would like to promote a coordinated and unified effort in regard
to software identification tagging with GSA, TagVault and the CPE community.

Your thoughts and comments are welcome.


R/
Bob Smith

(703) 601-4729 ext 124
[hidden email]

-----Original Message-----
From: Baker, Jon [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 1:39 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June
14-16

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the
community is well aware of the impact of these meetings and their ongoing
contributions to OVAL. At the moment I think the opening few minutes of the
OVAL session will cover a status update and recap of the actions take since
the last OVAL developer days.

 

It should also be noted that more information and a registration form will
be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June
14-16

 

I find it disappointing that you make no effort to support remote attendance
for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to
see the action items from prior meetings and the actions taken as a result.
I am sure that we would like to see that historically our participation has
measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]>
wrote:

MITRE is pleased to announce that we will be hosting Security Automation
Days here at MITRE in Bedford, MA on June 14 - 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

                               
Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

                               
Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Call for Tracker Items

Brant Cheikes
In reply to this post by Ernest Park-2

I agree with Ernie that we haven’t been doing a good job maintaining and tracking a list of open issues in connection with CPE development.  At present, we have a “tracker” exposed on the CPE website at: http://cpe.mitre.org/specification/tracker.html.  But the implementation is weak and the content is out of date.  Here’s what I propose to do about those problems:

 

First, regarding the “tracker” tool itself, we’re currently investigating whether it would be easy (order of a handful of labor hours) to upgrade our existing tracker mechanism to expose more information and be more useful.  As an off-the-shelf alternative, we’re considering NIST’s JIRA system (cf. https://services.nvd.nist.gov/jira/secure/Dashboard.jspa).  I’d be curious whether there’s strong sentiment in the CPE community towards or away from JIRA.  We’ll try to make a decision within the next two weeks.  If we can’t pick and/or populate a tool quickly, we’ll simply collect open issues for the short term in a document posted on the CPE website.

 

Second, normally I would commit to personally reviewing the discussion archives and preparing an up-to-date enumeration of outstanding issues.  But between now and roughly early July, I and the rest of the CPE Core Team are working heads-down to plan and execute the next release of CPE.  (And I hope to be able to release more information about that soon.)  Although we don’t have a tangible list of explicitly tracked issues, the Core Team believes we have a good feeling for what those issues are—but we could be wrong.  I need to find a balance between keeping the team focused on developing the next release of the specification and diverting energy towards compiling an issues list.  So what I’d like to do is “crowd source” the issues list—that is, I’d like to issue an open call for “tracker items”.  I’ll then commit to getting the items recorded in a public place, either an upgraded “tracker” on the CPE website, or in JIRA.

 

To submit an issue, please reply to this message (so the word Tracker stays in the subject line) and include as much of the following information as you reasonably can:

 

·         A short title for the tracker item;

·         A description (up to a paragraph of text) of the issue;

·         One or more URLs pointing to any related discussion (in the nabble archives) or documents.

 

We’ll get the responses cleaned up, consolidated and posted, then add information about resolutions, etc., as our work proceeds.  I hope this approach will meet the community’s needs.

 

Cheers,

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 2:05 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

Jon - 

 

 

Having been at a few of these sessions, what I want a recap of, posted herein, is the open items over the last few years, action taken, and things outstanding.

 

Show us as a community that this project is alive.

 

Why not post the project, maintainers, open issues with assignments on an open project hosting site - Sourceforge, Google, etc?

 

 

There are still a substantial number of "sticking issues". How about a public bug list with status and assignment? Let us see the associated workflows to SCAP. Maybe we can help.

 

We are being asked to contribute to, support, and endorse an open  concept that is more of a black box. I have to travel to MA to get status updates and participate in project meetings. In the days of high speed connectivity, it seems like we are not embracing the technology that we intend to automate and manage.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 1:38 PM, Baker, Jon <[hidden email]> wrote:

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Call for Tracker Items

Brant Cheikes
In reply to this post by Ernest Park-2

We’ve implemented an updated issue tracker on the CPE public website (wasn’t too hard, actually), and I’ve made an effort to bring the content up to date.  Have a look, and feel free to suggest additional items to be included:

http://cpe.mitre.org/specification/tracker.html

 

Cheers,

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Cheikes, Brant A.
Sent: Wednesday, April 14, 2010 5:31 PM
To: cpe-discussion-list CPE Community Forum
Subject: Call for Tracker Items

 

I agree with Ernie that we haven’t been doing a good job maintaining and tracking a list of open issues in connection with CPE development.  At present, we have a “tracker” exposed on the CPE website at: http://cpe.mitre.org/specification/tracker.html.  But the implementation is weak and the content is out of date.  Here’s what I propose to do about those problems:

 

First, regarding the “tracker” tool itself, we’re currently investigating whether it would be easy (order of a handful of labor hours) to upgrade our existing tracker mechanism to expose more information and be more useful.  As an off-the-shelf alternative, we’re considering NIST’s JIRA system (cf. https://services.nvd.nist.gov/jira/secure/Dashboard.jspa).  I’d be curious whether there’s strong sentiment in the CPE community towards or away from JIRA.  We’ll try to make a decision within the next two weeks.  If we can’t pick and/or populate a tool quickly, we’ll simply collect open issues for the short term in a document posted on the CPE website.

 

Second, normally I would commit to personally reviewing the discussion archives and preparing an up-to-date enumeration of outstanding issues.  But between now and roughly early July, I and the rest of the CPE Core Team are working heads-down to plan and execute the next release of CPE.  (And I hope to be able to release more information about that soon.)  Although we don’t have a tangible list of explicitly tracked issues, the Core Team believes we have a good feeling for what those issues are—but we could be wrong.  I need to find a balance between keeping the team focused on developing the next release of the specification and diverting energy towards compiling an issues list.  So what I’d like to do is “crowd source” the issues list—that is, I’d like to issue an open call for “tracker items”.  I’ll then commit to getting the items recorded in a public place, either an upgraded “tracker” on the CPE website, or in JIRA.

 

To submit an issue, please reply to this message (so the word Tracker stays in the subject line) and include as much of the following information as you reasonably can:

 

·         A short title for the tracker item;

·         A description (up to a paragraph of text) of the issue;

·         One or more URLs pointing to any related discussion (in the nabble archives) or documents.

 

We’ll get the responses cleaned up, consolidated and posted, then add information about resolutions, etc., as our work proceeds.  I hope this approach will meet the community’s needs.

 

Cheers,

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 2:05 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

Jon - 

 

 

Having been at a few of these sessions, what I want a recap of, posted herein, is the open items over the last few years, action taken, and things outstanding.

 

Show us as a community that this project is alive.

 

Why not post the project, maintainers, open issues with assignments on an open project hosting site - Sourceforge, Google, etc?

 

 

There are still a substantial number of "sticking issues". How about a public bug list with status and assignment? Let us see the associated workflows to SCAP. Maybe we can help.

 

We are being asked to contribute to, support, and endorse an open  concept that is more of a black box. I have to travel to MA to get status updates and participate in project meetings. In the days of high speed connectivity, it seems like we are not embracing the technology that we intend to automate and manage.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 1:38 PM, Baker, Jon <[hidden email]> wrote:

Ernest,

 

Speaking for OVAL, as the event approaches I plan to make sure that the community is well aware of the impact of these meetings and their ongoing contributions to OVAL. At the moment I think the opening few minutes of the OVAL session will cover a status update and recap of the actions take since the last OVAL developer days.

 

It should also be noted that more information and a registration form will be posted in the near future.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, March 31, 2010 11:23 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Security Automation Developer Days - June 14-16

 

I find it disappointing that you make no effort to support remote attendance for these meetings.

 

Additionally, before I attend another meeting like this, it would be nice to see the action items from prior meetings and the actions taken as a result. I am sure that we would like to see that historically our participation has measured benefits.

 

 

 

Ernie

On Wed, Mar 31, 2010 at 11:20 AM, Boczenowski, Steve <[hidden email]> wrote:

MITRE is pleased to announce that we will be hosting Security Automation Days here at MITRE in Bedford, MA on June 14 – 16.

 

Please mark the date.

 

Below is our tentative agenda.

 

Look forward to seeing you there.

 

Steve

 

 

 

Security Automation Days
The MITRE Corporation    Bedford, Massachusetts
June 14 - 16, 2010

Day 1

8:30

0:15

Welcome

 

8:45

3:00

ARF / ASR / PLARR

 

11:45

0:15

CVE Status Report

 

12:00

0:15

CCE Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

XCCDF Status Report

 

13:00

3:30

OVAL

 

16:30

0:15

Day 1 Wrap-Up

 

Day 2

8:00

0:15

Welcome

 

8:15

2:00

Cross-SCAP Standardization

 

10:15

0:15

Break

 

10:30

1:35

Remediation - Part 1

 

12:05

0:10

OCIL Status Report

 

12:15

0:30

Lunch

 

12:45

0:15

SCAP v 1.1 Status Report

 

13:00

3:45

Remediation - Part 2

 

16:45

0:15

Day 2 Wrap-Up

 

Day 3

8:00

0:15

Welcome

 

8:15

2:00

Digital Trust

 

10:15

0:15

Break

 

10:30

1:30

CPE - Part 1

 

12:00

0:15

CEE/EMAP Status Report

 

12:15

0:30

Lunch

 

12:45

0:30

CWE / CAPEC / SAFES Overview

 

13:15

0:10

MAEC Overview

 

13:25

3:20

CPE - Part 2

 

16:45

0:15

Day 3 Wrap-Up

 

 

 

 

 

 

______________________________________________

Stephen P. Boczenowski

      The MITRE Corporation

      Office: (781) 271-7682

      Cell: (978) 302-3849

      [hidden email]

 

Benchmark Development Course

http://benchmarkdevelopment.mitre.org/

 

 

 

Reply | Threaded
Open this post in threaded view
|

ARF 0.41.2 pre-coordination draft release

Wolfkiel, Joseph

All,

 

For those that want to provide advice on the pre-release draft, here’s the current draft of CPE 0.41.2, schemas only.

 

A few things have been changed that allow significantly more flexibility and data carrying capacity.  If you’re interested, please take a look.  Since this isn’t formal coordination, I don’t have a hard deadline for comments.

 

Specific “features” of interest:

1.        Addition of a hardware configuration component at the device level.  Not very comprehensive, but addresses CPU, RAM, and hard drives.  Let me know if there are any other “standard” pieces of data that are needed here.

2.       Addition of the “Generic report object” type with references distributed throughout the device model.  This is basically a structured “any” tag that requires that you assign an ID, name, and namespace to any new object you add, so a consumer can always identify an object that is consumed, even if it doesn’t understand the schema and stores it as a CLOB in the database.  Common objects we expect to see passed as “generic report objects” include Plans of Action & Milestones and CVSS environmental scores.

3.       Addition of attribute-based elements to the AssessedName component in the CPE Record 0.1 schema.  This should allow vendors to report the names of discovered software regardless of whether a CPE name has been assigned.

4.       Addition of “account” at the CPE Record level so you can report users and some common metadata about them.  I’m not sure what common metadata is collected for user accounts, so please let me know what seems reasonable.

5.       Addition of the BIOS ID to the device identifiers – Some vendors think this is the best way to identify a given device.  Not sure if it should be a string or hex value.

 

Please let me know your thought on the directions this has taken.  Many of the changes are attempts to address vendor input or problems we have run into while trying to implement ARF as a data exchange standard internal to the DoD.

 

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


ARF 0-41-2 pre-release draft 04-24-10.zip (153K) Download Attachment