Re: [sacm] Hackathon Goals and Stretch Goals

We've been collaborating with Andreas Steffens on a SWIMA collector that
operates well with strongSwan's NEA implementation. We hope to bring both
SWIMA and strongSwan to the Hackathon.

On Thu, May 25, 2017 at 9:06 AM, Adam Montville <adam.w.montville@gmail.com>
wrote:

> I'm viewing the problem essentially in two parts. 1) we need to understand
> the information we need between each component to inform the information
> model, then 2) we will need to figure out how to best represent that
> information. Solidifying the information model seems like the latter, which
> cannot really be done without first understanding the former. To me, the
> hackathon should be first focused on the former - learning more about the
> information we really need - before it gets too far along.
>
> This is not to say that we will not be able to address both! Instead, I am
> suggesting that we, in earnest, start focusing on the first part of this
> problem, and then hopefully get to the second part of the problem.
>
> We have three distinct goals. We have a user story. Now we need a team to
> come together and start working even before we get to Prague, so that we
> can make some real progress. There is not very much time left...
>
> Bill and I are committed. I believe Dave and Stephen are committed. Henk,
> I think, is committed also. Who else is interested in participating? And,
> how do we want to start running this? We can set up a code repo in GitHub
> so we have a place to track work items, issues, etc.  Being committed to
> the effort requires becoming and remaining engaged in an ongoing work
> effort.
>
> Kind regards,
>
> Adam
>
> On Tue, May 23, 2017 at 12:02 PM Nancy Cam-Winget (ncamwing) <
> ncamwing@cisco.com> wrote:
>
>> Hi all,
>>
>> Trying to catch up on the thread….I would agree with Ira and Henk’s
>> comments/suggestion that we should be working towards a SACM goal.  That
>> is, SACM has been working on solidifying an IM and the IM elements which
>> are a MUST to implement….that way we enable the interoperability across the
>> heterogeneity of the information available.
>>
>> I think there are going to be modules (or “glue”) needed to enable the
>> current DB’s/repositories and their interfaces to be able to expose their
>> available data in an (SACM) interoperable flow.
>>
>> If Henk can provide this, then we can focus on the mappings to get the
>> interop underway then….
>>
>>         Nancy
>>
>> On 5/22/17, 9:48 AM, "sacm on behalf of Henk Birkholz" <
>> sacm-bounces@ietf.org on behalf of henk.birkholz@sit.fraunhofer.de>
>> wrote:
>>
>>     Hello all,
>>
>>     I totally agree that the method employed in Collection Tasks should
>> not
>>     use the inter-component mechanism/format of distributing SACM content
>> with.
>>
>>     E.g. if there is a SWID repository that is a database (there are open
>>     but not commonly or currently used examples for data base schemas in
>>     regard to the outdated 2009 version of SWID, as far as I know), of
>>     course an SQL query is used to collect them. In this example the
>>     acquisition method employed by a Collector is simply an SQL used by
>> that
>>     data base. We SHOULD NOT build an alternative way to convey that
>>     information!
>>
>>     Same goes for Attributes via IF-M to address Danny's example.
>>
>>     Now, looking downstream, the information queried has to be composed
>> into
>>     an actual tag. Most likely, a DB about tags will store the most
>>     important items to query tags in tables (e.g. tag_id, entity_id,
>>     package_name, version, etc.) and also the complete XML blob (if it
>> fits
>>     into a DB value, they can be large if stored in native XML). This is
>> the
>>     way that the only open source example that I actually personally know
>> of
>>     does it, at least.
>>
>>     If you finally have that tag (re-composed or queried en'blob)
>> collected
>>     and it is about a vulnerable software package that is currently
>>     installed as software instances on target endpoints, how to convey
>> that
>>     information to other downstream components is the interesting point
>>     here: Partial, or as a byte blob, or mapped to IE, at least in a way
>>     that is not surprising to any SACM component in general.
>>
>>     If we do not use a common message encoding and msg structure (data
>>     model) here (may it even be so preliminary that we just learn to use
>> sth
>>     else), how should interop with further components work? I was under
>> the
>>     impression that is the point of the IM?
>>
>>     If nobody has the time to do this (which might be the only concern?),
>> I
>>     can whip up an example using XSD and CDDL, and even YANG for YANG
>> event
>>     notification, if I find more than one or two consecutive hours...
>>
>>     Viele Grüße,
>>
>>     Henk
>>
>>
>>     On 05/22/2017 04:16 PM, Haynes, Dan wrote:
>>     > It’s probably also worth pointing out that if we are using existing
>>     > protocols such as NEA, it may not make sense to directly change the
>>     > fields in its over-the-wire format to match the SACM IM (e.g.
>>     > communications between endpoint and server), rather, provide a
>> mapping.
>>     > Then, when the server receives the data, it can use the mapping to
>> store
>>     > the data in the repository such that it aligns with the data
>> described
>>     > in the IM. This approach will likely be required when we want to
>>     > leverage existing protocols where we may not have the ability to
>> change
>>     > them (e.g. Apple MDM and Configuration Profiles, Windows PowerShell
>>     > Desired State Configuration, etc.). With all that said, the explicit
>>     > approach may be more desirable when we are developing our own
>> protocols
>>     > or have significant influence and support to change existing
>> protocols.
>>     > I guess I am just trying to say we probably want to support both
>>     > approaches :).
>>     >
>>     >
>>     >
>>     > Thanks,
>>     >
>>     > Danny
>>     >
>>     >
>>     >
>>     > *From:*sacm [mailto:sacm-bounces@ietf.org] *On Behalf Of *Ira
>> McDonald
>>     > *Sent:* Friday, May 19, 2017 2:39 PM
>>     > *To:* Adam Montville <adam.w.montville@gmail.com>; Ira McDonald
>>     > <blueroofmusic@gmail.com>
>>     > *Cc:* Henk Birkholz <henk.birkholz@sit.fraunhofer.de>;
>> sacm@ietf.org
>>     > *Subject:* Re: [sacm] Hackathon Goals and Stretch Goals
>>     >
>>     >
>>     >
>>     > Hi Adam,
>>     >
>>     > Chiming in below on one point raised in this Hackathon goals
>> conversation.
>>     >
>>     > Cheers,
>>     >
>>     > - Ira
>>     >
>>     >
>>     >
>>     > On Tue, May 16, 2017 at 2:47 PM, Adam Montville
>>     > <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>>
>> wrote:
>>     >
>>     >     Hi Henk. I'll try inline.
>>     >
>>     >     On Tue, May 16, 2017 at 11:04 AM Henk Birkholz
>>     >     <henk.birkholz@sit.fraunhofer.de
>>     >     <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
>>     >
>>     >     <...snip...>
>>     >
>>     >
>>     >         Also, I noticed conflicting notions about how important it
>> is to
>>     >         prepare
>>     >         a message format to convey information between components.
>> While it
>>     >         might not be as critical as "having actual component code to
>>     >         work with",
>>     >         interoperability is key. And if we would agree on a
>> preliminary data
>>     >         structure (probably derived from the current IM), before we
>>     >         start the
>>     >         hackathon, we could save some time during the f2f on-site.
>> It's
>>     >         probably
>>     >         a low hanging fruit also, as I am not talking about every
>> IE to be
>>     >         conveyed, but about the general message structure ("the
>>     >         container") and
>>     >         the corresponding encoding for data in motion.
>>     >
>>     >
>>     >
>>     >     [AWM] There are differing perspectives on this front. Yes,
>> having a
>>     >     common structure could be useful, but it may not be necessary
>> for
>>     >     the purposes of this effort. This effort is somewhat different
>> from
>>     >     others that I've heard of, in that we are not implementing a
>>     >     solution as much as we are discovering one. I do expect that we
>> will
>>     >     discover the structures we need as we develop the solution.
>> What do
>>     >     others think about this? Do we need to have this information up
>>     >     front, or is it something we can discover as we go?
>>     >
>>     >
>>     >
>>     > <ira> For message wire format for the Hackathon, please consider
>> taking
>>     > the SACM
>>     > Information Model verbatim and using that XSD for XML wire format.
>>     > Efficiency is
>>     >
>>     > totally irrelevant.  So is elegance.  You're trying to do a proof of
>>     > concept.  Defining
>>     >
>>     > the Hackathon wire format interactively in the room is a time waster
>>     > idea, IMO.
>>     >
>>     >
>>     >
>>     >
>>     >         Thoughts?
>>     >
>>     >
>>     >         Viele Grüße,
>>     >
>>     >         Henk
>>     >
>>     >
>>     >
>>     >
>>     >         On 05/16/2017 05:12 PM, Haynes, Dan wrote:
>>     >         > Seems like a reasonable story to focus around, for the
>>     >         hackathon, to me.
>>     >         >
>>     >         >
>>     >         >
>>     >         > Thanks,
>>     >         >
>>     >         > Danny
>>     >         >
>>     >         >
>>     >         >
>>     >         > *From:*sacm [mailto:sacm-bounces@ietf.org
>>     >         <mailto:sacm-bounces@ietf.org>] *On Behalf Of *Jerome
>> Athias
>>     >         > *Sent:* Monday, May 15, 2017 11:12 PM
>>     >         > *To:* Adam Montville <adam.w.montville@gmail.com
>>     >         <mailto:adam.w.montville@gmail.com>>; Waltermire, David A.
>>     >         > (Fed) <david.waltermire@nist.gov
>>     >         <mailto:david.waltermire@nist.gov>>; sacm@ietf.org
>>     >         <mailto:sacm@ietf.org>
>>     >         > *Subject:* Re: [sacm] Hackathon Goals and Stretch Goals
>>     >         >
>>     >         >
>>     >         >
>>     >         > I think it's a good idea too.
>>     >         >
>>     >         > I don't know who is supposed to participate to this
>> hackathon?
>>     >         >
>>     >         > Potentially you could market it by capitalizing on real
>> known
>>     >         events,
>>     >         > (without trolling) let's say "new critical
>> vulnerability", "for
>>     >         > preventing ransomware" "FictitousCorp needs to Respond
>> quickly
>>     >         and have
>>     >         > a system to Identify and Protect its endpoints..."
>>     >         >
>>     >         >
>>     >         >
>>     >         >
>>     >         >
>>     >         > On Tue, 16 May 2017 at 00:30, Adam Montville
>>     >         <adam.w.montville@gmail.com <mailto:adam.w.montville@
>> gmail.com>
>>     >         > <mailto:adam.w.montville@gmail.com
>>     >         <mailto:adam.w.montville@gmail.com>>> wrote:
>>     >         >
>>     >         >     I think that's a good idea. How do folks feel about
>> this
>>     >         story? Is
>>     >         >     it lacking anything? Is it too specific? What would
>> you
>>     >         change about
>>     >         >     it if you could?
>>     >         >
>>     >         >
>>     >         >
>>     >         >     On Mon, May 15, 2017 at 12:57 PM Waltermire, David A.
>> (Fed)
>>     >         >     <david.waltermire@nist.gov
>>     >         <mailto:david.waltermire@nist.gov>
>>     >         <mailto:david.waltermire@nist.gov
>>     >         <mailto:david.waltermire@nist.gov>>> wrote:
>>     >         >
>>     >         >         I was thinking that it would be useful to have a
>> user
>>     >         story to
>>     >         >         implement against for the Hackathon. How about
>>     >         something like
>>     >         >         the following that maps to our goals:
>>     >         >
>>     >         >
>>     >         >
>>     >         >         A vendor identifies a vulnerability in their
>> software
>>     >         product.
>>     >         >         They produce a new version of their software and
>> publish a
>>     >         >         vulnerability bulletin that indicates customers
>> should
>>     >         upgrade
>>     >         >         to the new version to address the vulnerability.
>> The
>>     >         product
>>     >         >         versions have both a SWID tag and a CoSWID tag.
>> As a
>>     >         customer of
>>     >         >         this vendor that uses the affected products, we
>> need
>>     >         to build a
>>     >         >         vulnerability assessment system that is capable of
>>     >         detecting
>>     >         >         what version of the software is installed and
>>     >         determine if that
>>     >         >         version is vulnerable using the vendor provided
>>     >         information. The
>>     >         >         Collector will be capable of gathering software
>> inventory
>>     >         >         information from one or more target endpoints by:
>>     >         >
>>     >         >
>>     >         >
>>     >         >         1)      Requesting software inventory information
>> for the
>>     >         >         affected software based on an ad-hoc request.
>>     >         >
>>     >         >         2)      Reporting the software inventory as
>> software
>>     >         changes occur
>>     >         >
>>     >         >
>>     >         >
>>     >         >         Collected software inventory information will be
>>     >         stored in the
>>     >         >         Assessment Results Repository and will be
>> compared to
>>     >         >         vulnerability detection data retrieved from the
>>     >         Vulnerability
>>     >         >         Detection Data Repository. The vulnerability
>> detection
>>     >         data will
>>     >         >         be derived from the vendor provided information in
>>     >         some useful
>>     >         >         way to be determined by the Vulnerability
>> Assessor.
>>     >         >
>>     >         >
>>     >         >
>>     >         >         How does this look?
>>     >         >
>>     >         >
>>     >         >
>>     >         >         Regards,
>>     >         >
>>     >         >         Dave
>>     >         >
>>     >         >
>>     >         >
>>     >         >         *From:*sacm [mailto:sacm-bounces@ietf.org
>>     >         <mailto:sacm-bounces@ietf.org>
>>     >         >         <mailto:sacm-bounces@ietf.org
>>     >         <mailto:sacm-bounces@ietf.org>>] *On Behalf Of *Adam
>> Montville
>>     >         >         *Sent:* Tuesday, May 09, 2017 3:30 PM
>>     >         >         *To:* sacm@ietf.org <mailto:sacm@ietf.org>
>>     >         <mailto:sacm@ietf.org <mailto:sacm@ietf.org>>
>>     >         >         *Subject:* Re: [sacm] Hackathon Goals and Stretch
>> Goals
>>     >         >
>>     >         >
>>     >         >
>>     >         >         All:
>>     >         >
>>     >         >
>>     >         >
>>     >         >         This week Dave and I have had an opportunity to
>>     >         discuss these a
>>     >         >         bit further. We've come up with the following set
>> of
>>     >         goals and
>>     >         >         outcomes:
>>     >         >
>>     >         >
>>     >         >
>>     >         >         GOAL: Running code demonstrating the communication
>>     >         needs between
>>     >         >         identified components as they pertain to the
>> on-request
>>     >         >         collection case through the scenario, where that
>> case is
>>     >         >         described
>>     >         >         at
>>     >         https://trac.ietf.org/trac/sacm/wiki/
>> SacmVulnerabilityAssessmentScenario.
>>     >         >         OUTCOME: We will have specific understanding of
>>     >         components'
>>     >         >         boundaries and the necessary information flows
>> (including
>>     >         >         information being communicated) between them.
>>     >         >
>>     >         >
>>     >         >
>>     >         >         GOAL: Leverage existing collected data in a data
>>     >         repository.
>>     >         >         OUTCOME: Demonstrate that previously collected
>> data can be
>>     >         >         reused to support vulnerability assessment
>>     >         >
>>     >         >
>>     >         >
>>     >         >         GOAL: Running code to extend that base case to
>> include a
>>     >         >         mechanism capable of monitoring a given set of
>> endpoint
>>     >         >         attributes for change. OUTCOME: We will have
>> specific
>>     >         >         understanding of additional architectural
>>     >         considerations for
>>     >         >         handling monitoring vs. on-request collection, as
>> well
>>     >         as any
>>     >         >         additional information flows required.
>>     >         >
>>     >         >
>>     >         >
>>     >         >         Does anyone care to bash these goal-ouctome pairs
>> in
>>     >         the context
>>     >         >         of our hackathon plans?  If so, please do so over
>> the
>>     >         next day
>>     >         >         or two, otherwise these will become the stated
>> goals
>>     >         for our
>>     >         >         hackathon.
>>     >         >
>>     >         >
>>     >         >
>>     >         >         Kind regards,
>>     >         >
>>     >         >
>>     >         >
>>     >         >         Adam
>>     >         >
>>     >         >
>>     >         >
>>     >         >         On Tue, May 2, 2017 at 4:40 PM Adam Montville
>>     >         >         <adam.w.montville@gmail.com
>>     >         <mailto:adam.w.montville@gmail.com>
>>     >         <mailto:adam.w.montville@gmail.com
>>     >         <mailto:adam.w.montville@gmail.com>>>
>>     >         >         wrote:
>>     >         >
>>     >         >             All:
>>     >         >
>>     >         >
>>     >         >
>>     >         >             Last week Dave sent a list of milestones to
>> the
>>     >         list. The
>>     >         >             first of which was for the WG to define some
>> goals
>>     >         for the
>>     >         >             IETF 99 hackathon. I can see at least one
>> primary
>>     >         goal with
>>     >         >             at least one stretch goal. The primary goal
>> is to have
>>     >         >             running code demonstrating the basic/ideal
>> case
>>     >         through our
>>     >         >             vulnerability scenario, where a new
>> vulnerability is
>>     >         >             discovered and we need to reach out all the
>> way to the
>>     >         >             endpoint to determine whether it is in fact
>>     >         vulnerable. A
>>     >         >             stretch goal might be to have running code
>>     >         demonstrating a
>>     >         >             "monitor for this vulnerability from now on"
>>     >         capability (I'm
>>     >         >             sure I'm not stating that as well as I could).
>>     >         >
>>     >         >
>>     >         >
>>     >         >             Does anyone have additional goals? Or, are
>> there
>>     >         better ways
>>     >         >             to state these particular goals (there
>> probably are)?
>>     >         >
>>     >         >
>>     >         >
>>     >         >             Kind regards,
>>     >         >
>>     >         >
>>     >         >
>>     >         >             Adam
>>     >         >
>>     >         >     _______________________________________________
>>     >         >     sacm mailing list
>>     >         >     sacm@ietf.org <mailto:sacm@ietf.org> <mailto:
>> sacm@ietf.org
>>     >         <mailto:sacm@ietf.org>>
>>     >         >     https://www.ietf.org/mailman/listinfo/sacm
>>     >         >
>>     >         >
>>     >         >
>>     >         > _______________________________________________
>>     >         > sacm mailing list
>>     >         > sacm@ietf.org <mailto:sacm@ietf.org>
>>     >         > https://www.ietf.org/mailman/listinfo/sacm
>>     >         >
>>     >
>>     >         _______________________________________________
>>     >         sacm mailing list
>>     >         sacm@ietf.org <mailto:sacm@ietf.org>
>>     >         https://www.ietf.org/mailman/listinfo/sacm
>>     >
>>     >
>>     >     _______________________________________________
>>     >     sacm mailing list
>>     >     sacm@ietf.org <mailto:sacm@ietf.org>
>>     >     https://www.ietf.org/mailman/listinfo/sacm
>>     >
>>     >
>>     >
>>     >
>>     >
>>     > _______________________________________________
>>     > sacm mailing list
>>     > sacm@ietf.org
>>     > https://www.ietf.org/mailman/listinfo/sacm
>>     >
>>
>>     _______________________________________________
>>     sacm mailing list
>>     sacm@ietf.org
>>     https://www.ietf.org/mailman/listinfo/sacm
>>
>>
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>>
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>
>