[Owasp-leaders] Call For MITRE/OWASP Community Engineering Collaboration

Sherif Mansour sherif.mansour at owasp.org
Tue Sep 11 23:09:10 UTC 2018


Dear all,

During AppSec Europe this year we were fortunate enough to have a member of
MITRE <https://www.mitre.org/> (Charles Schmidt) present on Security
Automation Research and Standards
<https://2018.appsec.eu/presos/CISO_Current-Research-and-Standards_Charles-M-Schmidt_AppSecEU2018.pdf>.
I am delighted to say MITRE have reached out to OWASP encouraging to
community to participate in some of the work taking place right now.
If you are interested in collaborating on these research and standards
projects please reach out to me and I will get you in touch. This is
particularly important be cause it takes a community to solve some of the
eco-system wide problems and it is with in the mission of OWASP to help.

It would be great to get some help from the OWASP community on addressing
some of the remaining gaps in the SCAP design.
<https://csrc.nist.gov/projects/security-content-automation-protocol/> In
particular, one key gap MITRE <https://www.mitre.org/> need to address is
the interactions with the configuration management database (CMDB). This is
the database that facilitates orchestration by storing all collected
endpoint information and then making it available to authorized analysis
and evaluation tools. The CMDB plays an important role in SCAP
<https://csrc.nist.gov/projects/security-content-automation-protocol/>
and MITRE
<https://www.mitre.org/>really need more people who have experience with
enterprise database use and operation to help provide guidance on the best
way to support these interfaces. A proof-of-concept implementation of a
CMDB interacting with either the Posture Collection Server (which collects
endpoint state information) or with some analytic tool would go a long way
towards helping us better understand the needs of any CMDB interfaces.

A second area that would be great to get some help on would be to expand
the endpoint collection mechanisms. Right now, SCAP
<https://csrc.nist.gov/projects/security-content-automation-protocol/>uses NEA
<https://datatracker.ietf.org/wg/nea/documents/>for endpoint collection,
but there is a strong desire to add support for YANG
<https://tools.ietf.org/html/rfc6020>as an endpoint state collection method
in order to support a wider range of endpoints. If there are members of the
OWASP community who have YANG <https://tools.ietf.org/html/rfc6020>
experience, that would be a big help. Again, having a proof-of-concept
demonstration of how YANG <https://tools.ietf.org/html/rfc6020> could be
used for endpoint state collection would be a big help in figuring out how
to standardize this capability.

Kind regards,

-- 

Sherif Mansour
OWASP Global Board Member & OWASP London Chapter Leader
Site: https://www.owasp.org/index.php/London
Email: sherif.mansour at owasp.org
Follow OWASP London Chapter on Twitter: @owasplondon
<https://twitter.com/OWASPLondon>
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
https://lists.owasp.org/mailman/listinfo/owasp-london

Consider giving back, and supporting the open source community by becoming
a member <https://www.owasp.org/index.php/Membership> or making a donation
<https://www.owasp.org/index.php/Donate> today!


Join us at AppSec USA 2018 <https://2018.appsecusa.org/> 8-12 October in
San Jose, CA!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180912/ba1ee45a/attachment.html>


More information about the OWASP-Leaders mailing list