Re: [scap_interest] Software Vulnerability Mitigation Automation - IVIL v1.0

Luis Nunez <lnunez@c3isecurity.com> Fri, 17 February 2012 16:38 UTC

Return-Path: <lnunez@c3isecurity.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE54621F8505 for <scap_interest@ietfa.amsl.com>; Fri, 17 Feb 2012 08:38:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaPZce8foOUH for <scap_interest@ietfa.amsl.com>; Fri, 17 Feb 2012 08:38:00 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id ABBD621F84F9 for <scap_interest@ietf.org>; Fri, 17 Feb 2012 08:38:00 -0800 (PST)
Received: by ggnq2 with SMTP id q2so2166433ggn.31 for <scap_interest@ietf.org>; Fri, 17 Feb 2012 08:38:00 -0800 (PST)
Received: by 10.236.145.230 with SMTP id p66mr10363252yhj.27.1329496680049; Fri, 17 Feb 2012 08:38:00 -0800 (PST)
Received: from [172.16.1.103] (cpe-066-057-025-190.nc.res.rr.com. [66.57.25.190]) by mx.google.com with ESMTPS id a47sm23671919yhj.12.2012.02.17.08.37.57 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 17 Feb 2012 08:37:59 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: Luis Nunez <lnunez@c3isecurity.com>
In-Reply-To: <4F3C57D9.8020405@netpeas.com>
Date: Fri, 17 Feb 2012 11:37:55 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <F9F27845-F33E-45CD-9125-37DF651A78A0@c3isecurity.com>
References: <4F3C57D9.8020405@netpeas.com>
To: Jerome Athias <jerome@netpeas.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQmQGM1C5UwQ/PYrCfQbMW9IcZzWyRNMMTv6GpqzVpwiZG834ItR/wF9Pg4/1Gvkz6zGYvOX
Cc: scap_interest@ietf.org
Subject: Re: [scap_interest] Software Vulnerability Mitigation Automation - IVIL v1.0
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2012 16:38:01 -0000

I certainly see this theme of "information sharing" and"standards" emanating from US politics. I am sure similar issues are being debated else where globally. 

Thanks for providing the snap shot of the intricacies of security information.  I wanted to emphasis some of the problems we are trying solve here. We are trying to solve the problem of communicating and connecting the dots all in a cooperative and cohesive way.  So it starts with standardizing the Security Automation specifications.

I look forward to seeing more of the "vulnerability interoperability" proposal.

Thanks.

-ln

On Feb 15, 2012, at 8:11 PM, Jerome Athias wrote:

> As mentioned in the U.S. "INTERNATIONAL STRATEGY FOR CYBERSPACE"[1] document,
> we need "interoperable and secure technical standards, determined by technical experts".
> 
> I would like to introduce my vision of "Software Vulnerability Mitigation Automation"
> via IVIL v1.0 via a (incomplete) Conceptual Map.
> 
> Requirements: ~15 minutes of your time, a headset and the Boléro
> 
> https://corevidence.com/research/vulnerability_interoperability_ivil_v1.jpg
> 
> (I extracted some links, please see below)
> 
> 
> 
> i = x2ivil + ivil2x
> where "i" is interoperability and "x" a software (vulnerability scanner,... + waf, virtual patching system, ...)
> 
> What do you think?
> 
> Thank you.
> Best regards,
> 
> Jerome Athias - NETpeas
> VP, Director of Software Engineer
> Palo Alto - Paris - Casablanca
> http://www.netpeas.com
> 
> "The computer security is an art form. It's the ultimate martial art."
> 
> 
> 
> [1]    http://www.whitehouse.gov/blog/2011/05/16/launching-us-international-strategy-cyberspace
> IVIL-XML    http://www.cupfighter.net/index.php/2010/10/ivil-an-xml-schema-to-exchange-vulnerability-information/
> ThreadFix    http://code.google.com/p/threadfix/
> 
> _______________________________________________
> scap_interest mailing list
> scap_interest@ietf.org
> https://www.ietf.org/mailman/listinfo/scap_interest