Meet Altaz Valani, an accomplished and award-winning DevSecOps evangelist who also stands out as an executive advisor, teaching instructor, and community builder.

What has been your involvement at OASIS?
Along with being a Board member, I am also part of a few OASIS Technical Committees (TCs). My personal interest lies primarily in the cybersecurity and value stream space. It is, essentially, the intersection of secure technology and business value. Through my collaboration at OASIS, I am able to meet many individuals from diverse backgrounds. This diversity is one of the key strengths of the committees at OASIS.

What inspired you to join the OASIS Board of Directors?
I want to make a difference in this world. OASIS has amazing projects, many of which address key needs of the cybersecurity industry, specifically around the problem of data sharing. Being a Board member allows me to influence the direction of an internationally recognized organization with a long history of developing standards in an open ecosystem. It also gives me the opportunity to network and meet other like-minded individuals who also want to make a difference. Working together allows us to achieve what no single person could do on their own.

What types of skills/expertise do you bring to the OASIS Board, and how do you hope to make an impact?
My background is in software development and cybersecurity. My goal is to positively impact OASIS by helping to bridge gaps with other communities, setting future strategy, and socializing the impact of OASIS and its downstream open standards on the world.

Why are you passionate about OASIS’ mission?
From a cybersecurity perspective, there are so many tools out there that don’t talk to each other. Having an open standard that allows for smoother data interchange helps to drive the generation of key insights. It is from these insights that we can more effectively remediate some of our biggest cybersecurity problems.

What sets OASIS apart from other organizations?
First, OASIS has a clear onramp to international standardization. Through years of building a strong relationship with organizations like ISO, OASIS is uniquely positioned to bring the best of open development into the world of global standards. Second, the work done at OASIS is open and transparent. Anyone can see the work being done, and that builds accountability into the governance structure.

What are some reasons why companies, organizations, and individuals should bring their projects to OASIS?
Trying to do the heavy lifting on your own is extremely difficult and costly, but spreading the effort across multiple companies pays off. Additionally, there is an innovation component to this. As collaboration takes place, there are numerous ideas that emerge which you may not have considered, helping to advance innovation within your organization.

Do you have an impact story about your work in open source or standards?
Open projects have a profound impact on so many communities. In my experience, when a community shares their insights, they are earnestly seeking feedback for improvement. Feedback received then begets more feedback. That type of engagement allows an open project to remain relevant. 

When I worked at The Open Group on developing an open standard for Zero Trust, the feedback from many people was extremely valuable – both as validation as well as opportunities for further refinement. In the end, what emerged was a set of principles and practices that provided valuable guidance for many organizations and practitioners.

What trends or changes in standards are most exciting to you?
AI is certainly a big topic today. What is exciting about it is the way it can help reduce the manual effort of poring through vast amounts of security information to make informed decisions. We have no shortage of security tools today. What’s missing is an open security observability layer that integrates disparate islands of security tooling data into meaningful insights. I see OASIS and other standards communities continuing to drive meaningful open solutions to the problem of cybersecurity and integration. Additionally, as AI emerges, there are many possible opportunities to standardize pieces of the lifecycle around model representation and explainable AI. 

What’s a fun fact about you? 
I once travelled to Mongolia and stayed in a ger. It was amazing to experience a totally different culture and to understand their rich history and fascinating customs.

The post OASIS Board Member Spotlight Series: Q&A with Altaz Valani appeared first on OASIS Open.

OASIS and the OASIS Common Security Advisory Framework (CSAF) TC are pleased to announce that Common Security Advisory Framework Version 2.0 Errata 01 is now available for public review and comment.

This document lists proposed errata for the OASIS Standard “Common Security Advisory Framework Version 2.0.” The specific changes are listed in section 1.1, at https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01.html#11-description-of-changes.

The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the CSAF language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.

The OASIS CSAF Technical Committee is chartered to make a major revision to the widely-adopted Common Vulnerability Reporting Framework (CVRF) specification, originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI has contributed CVRF to the TC. The revision is being developed under the name Common Security Advisory Framework (CSAF). TC deliverables are designed to standardize existing practice in structured machine-readable vulnerability-related advisories and further refine those standards over time.

The documents and related files are available here:

Common Security Advisory Framework Version 2.0 Errata 01
Committee Specification Draft 01
15 December 2023

Editable source (Authoritative):
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01.md

HTML:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01.html

PDF:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01.pdf

JSON schemas:
Aggregator JSON schema:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/schemas/aggregator_json_schema.json
CSAF JSON schema:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/schemas/csaf_json_schema.json
Provider JSON schema:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/schemas/provider_json_schema.json

For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01.zip

A public review announcement metadata record [3] is published along with the specification files.

How to Provide Feedback

OASIS and the CSAF TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of our technical work.

The public review starts 21 December 2023 at 00:00 UTC and ends 04 January 2024 at 23:59 UTC.

Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility which can be used by following the instructions on the TC’s “Send A Comment” page (https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=csaf).

Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:
https://lists.oasis-open.org/archives/csaf-comment/

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the CSAF TC can be found at the TC’s public home page:
https://www.oasis-open.org/committees/csaf/

========== Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] https://www.oasis-open.org/committees/csaf/ipr.php
https://www.oasis-open.org/policies-guidelines/ipr/#Non-Assertion-Mode

[3] Public review announcement metadata:
https://docs.oasis-open.org/csaf/csaf/v2.0/errata01/csd01/csaf-v2.0-errata01-csd01-public-review-metadata.html

The post Invitation to comment on Common Security Advisory Framework v2.0 Errata 01 appeared first on OASIS Open.

Boston, MA, USA, 14 December 2023 – OASIS Open, the international standards and open source consortium, announced the launch of OpenEoX, a global initiative to standardize the exchange of End-of-Life (EOL) and End-of-Support (EOS) information within the software and hardware industries. OpenEoX will provide a unified and efficient method to programmatically verify the EOL or EOS status of the products that businesses and individuals rely on. 

A standardized approach to EOL and EOS information will empower open source maintainers and vendors alike to deliver more accurate and reliable support to their users. OpenEoX can help reduce cybersecurity risk and susceptibility to vulnerabilities, enabling companies to quickly identify unsupported products. While frameworks like software bill of materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX) have made significant strides in improving information sharing and product lifecycle management, OpenEoX represents a critical step forward in unifying these efforts.

“It’s crucial for people to stay informed on the lifecycle status of the products and open-source software they rely on. OpenEoX addresses this challenge by providing a common framework that simplifies the process of managing and sharing End-of-Life and End-of-Support information across the industry,” said Omar Santos, co-chair of OpenEoX and Distinguished Engineer, Security & Trust, AI Security Research and Operations at Cisco Systems. “When I started the original work in OpenEoX, I recognized that for it to truly transform the industry, it needed to be advanced in OASIS Open.” 

“OpenEoX will help redefine the landscape of vulnerability management by streamlining the oversight of product lifecycles. This empowers organizations to proactively address security issues through efficient patching and product upgrades,” said Justin Murphy, OpenEoX co-chair and Vulnerability Disclosure Analyst at the U.S. Cybersecurity and Infrastructure Security Agency (CISA). “The machine-readable OpenEoX standard will pave the way for automation and integration with tools such as vulnerability scanners and SIEM systems. It will be able to offer a comprehensive overview of an organization’s security posture, contributing to more informed decision-making and enhanced risk mitigation. We look forward to continuing to work with OASIS Open and the broader vulnerability management community to build a path toward more efficient, automated and prioritized vulnerability management.”

Participation in OpenEoX is open to all through OASIS membership. OpenEoX invites software and hardware vendors; open source maintainers; technology consultants; business stakeholders reliant on technology products; international, federal, and local government organizations; and others to become part of this collective effort. For more information on OpenEoX, please visit https://openeox.org/. 

Support for OpenEoX

Huawei
“Huawei is proud to join the OpenEoX project and support the establishment of standardized software and hardware end-of-life and end-of-support programs. We understand the impact of rapid tech development on the industry and are committed to working with stakeholders to explore a standardized approach to EOL and EOS programs. This will streamline processes, reduce confusion, and ensure a smooth transition for consumers. We look forward to contributing to the health and sustainability of the entire hardware and software ecosystem!”
– Martin Xie, Director of Huawei Cybersecurity Transparency Center

Microsoft
“Standardizing how the industry performs End of Life/End of Support for developed software/services and their related direct and transitive dependencies is critical to the evolution of end-to-end software supply chain security. Microsoft is proud to contribute to this work, which achieves even more transparency in better-made software while further building trust with more informed consumers.”
– Brendan Burns, CVP, Azure OSS Cloud Native

Qualys
“Qualys has been helping enterprises assess their first-party & open-source software risks through our Enterprise TruRisk Platform and are pleased to partner with OpenEoX to build an open standard to do this at scale. Identifying End-of-Life (EOL) and End-of-Service (EOS) applications in hybrid environments is now a concern at the CIO level, not just for CISOs. The capability to measure, communicate, and, more importantly, eliminate risks stemming from such tech debt demands a collaborative effort involving cybersecurity vendors, software vendors, and IT departments within organizations. We’re pleased to collaborate with OpenEOX to facilitate this process.”
– Pinkesh Shah, CPO, Qualys

Red Hat
“As an open source solutions provider with a broad product portfolio, consistently communicating lifecycle information to our customers and partners can pose a challenge. With OpenEoX, Red Hat will be able to streamline that process, providing users with a more accurate and reliable view over the lifecycle of their technologies. This information, integrated with other components of the vulnerability assessment process, will complement data like VEX and SBOMs and help our users address and remediate potential security issues more quickly and efficiently.”
– Pete Allor, Sr. Director, Red Hat Product Security

Sophos
“In today’s dynamic world of cybersecurity threats, identifying the end stages of software and hardware—End-of-Life (EOL) and End-of-Support (EOS)—is critical. While tools like SBOMs, CSAF and OHDF have advanced the field, there is a vital need to address the lack of knowledge when products are no longer supported and the vulnerabilities they introduce. OpenEoX will help us solve this gap with a streamlined process for lifecycle management, minimizing risks from outdated technology. Sophos is excited work with the OpenEoX community to create a flexible framework that seamlessly melds with current standards and tools, streamlining the addition of EOL / EOS into the product lifecycle.”
– Mike Fraser, VP of Product Management of DevSecOps and Automation, Sophos

The post OASIS Launches Initiative to Standardize Machine-Readable End-of-Life Information Exchange for Software and Hardware appeared first on OASIS Open.

OASIS is pleased to announce that NIEM Model Version 6.0 from the NIEMOpen Open Project [1] has been approved as an OASIS Project Specification.

NIEM is a data model that enables efficient information exchange across diverse public and private organizations. NIEM can improve interoperability among message exchange partners by providing consistent rules, reusable data components, and repeatable processes.

NIEM Model v6.0 includes detailed descriptions of the changes since the previous version 5.2.

This Project Specification is an OASIS deliverable, completed and approved by the OP’s Project Governing Board and fully ready for testing and implementation. The applicable open source licenses can be found in the project’s administrative repository at https://github.com/niemopen/oasis-open-project/blob/main/LICENSE.md.

The specification and related files are available at:

NIEM Model Version 6.0
Project Specification 01
04 December 2023

Markdown (Authoritative):
https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/niem-model-v6.0-ps01.md
HTML:
https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/niem-model-v6.0-ps01.html
PDF:
https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/niem-model-v6.0-ps01.pdf
Complete XML Schema:
NIEM Core Schema: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/niem-core.xsd
NIEM Domain Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/domains/
NIEM Adapter Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/adapters/
NIEM Auxiliary Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/auxiliary/
NIEM Code Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/codes/
NIEM External Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/external/
NIEM Utility Schemas: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/utility/
NIEM Documentation files:
NIEM README: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/README.md
NIEM documentation files: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/docs/
Other artifacts:
NIEM CSV files: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/csv/
NIEM JSON-LD files: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/json-ld/
NIEM XML Catalog: https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/xsd/xml-catalog.xml

Distribution ZIP file

For your convenience, OASIS provides a complete package of the specification and related files in a ZIP distribution file. You can download the ZIP file at:
https://docs.oasis-open.org/niemopen/niem-model/v6.0/ps01/niem-model-v6.0-ps01.zip

Members of the NIEMOpen OP Project Governing Board approved this specification by Special Majority Vote [2] as required by the Open Project rules [3].

Our congratulations to the participants and contributors in the NIEMOpen Open Project on their achieving this milestone.

Additional references:

[1] NIEMOpen Open Project
https://www.niemopen.org/

[2] Approval ballot:
https://lists.oasis-open-projects.org/g/niemopen-pgb/message/127

[3] https://www.oasis-open.org/policies-guidelines/open-projects-process/

The post NIEM Model v6.0 Project Specification 01 approved by the NIEMOpen Open Project appeared first on OASIS Open.

Boston, MA – 13 December 2023 – OASIS Open, the international open source and standards consortium, and the Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee (TC) have approved CACAO Security Playbooks v2.0 as an OASIS Committee Specification (CS). CACAO v2.0 will empower organizations to orchestrate, collaborate, and share cybersecurity playbooks. In the ongoing battle against threat actors, organizations must identify, create, document, and test various steps to detect, investigate, mitigate, and remedy potential threats. The culmination of these steps results in a cybersecurity playbook designed to secure organizational systems, networks, data, and users.

CACAO v2.0 defines the schema and taxonomy for cybersecurity playbooks and describes how they can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. These playbooks give security teams the ability to respond to incidents, mitigate threats, and protect their networked systems by offering a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.

“CACAO is the culmination of many years of hard work from the cybersecurity community outside and within OASIS, resulting in a significant step forward for all organizations looking to automate their defense against today’s latest cyber threats,” said Allan Thomson, co-chair of the CACAO TC. “We’ve taken the approach with CACAO, to embrace existing toolsets and processes security organizations are already familiar with, and defined a standardized playbook mechanism that allows orchestration and collaboration not easily achieved both within their own organization, as well as with external sharing partners.”

“The creation, development, and now approval of CACAO v2.0 as a Committee Specification is a testament to the hard work and collaboration of so many different individuals and organizations from around the world to help solve one of the biggest problems in cyber defense: the orchestration of response in cyber relevant time,” said Bret Jordan, co-chair of the CACAO TC. “This standardized approach to orchestrated cyber defense gives organizations the ability to navigate the evolving threat landscape with confidence, armed with the tools needed to orchestrate and automate responses effectively. I am so proud of the work that everyone has done to make this a reality. This TC has done for cyber security playbooks what STIX and TAXII did for cyber threat intelligence (CTI).”

For further insights, read the blog Standardized Security Orchestration with CACAO, written by Bret Jordan, Vasileios Mavroeidis, Luca Morgese, and Allan Thomson.

The CACAO TC is made up of a diverse group of global experts from various industries, including cybersecurity, government, and academia. OASIS Open encourages organizations and individuals to get involved in the development and adoption of CACAO v2.0 and other open standards for cybersecurity.

Additional Information
CACAO Technical Committee

The post OASIS Unveils CACAO v2.0: Transforming Cybersecurity Course-of-Action Playbooks for Enhanced Defense appeared first on OASIS Open.

Boston, MA – 7 December 2023 – The AI Security Summit, organized by OASIS Open and Cisco on November 30, 2023, brought together an exceptional array of speakers, each bringing unique insights and expertise to the table. Throughout the day-long event, cybersecurity and AI experts explored the challenges and opportunities associated with the implementation of AI solutions. Topics included the top AI threats and risks, AI vulnerability management and disclosure, challenges when monitoring AI implementations, upcoming regulations, and dealing with AI-enhanced disinformation. A key takeaway was the importance of establishing meaningful connections within the cybersecurity and AI communities, highlighting the need for collaboration and standards to address the dynamic nature of AI threats.

The event’s hybrid format accommodated both in-person at the Cisco offices in Research Triangle Park, N.C., and virtual participation, with more than 1,200 registered individuals.

Omar Santos, Distinguished Engineer, Cisco, noted, “We had an incredible turnout, both virtually and in-person, for our inaugural AI Security Summit. There were impressive speakers and panelists whose insights enriched the discussions on the challenges in AI security. We have a shared commitment to advancing our understanding and practices in AI security, and this event really set the tone for ongoing collaboration within the AI and cybersecurity communities.”

Jamie Clark, General Counsel and Chief Privacy Officer, OASIS Open, echoed Santos’ sentiments, emphasizing the importance of collaboration in tackling the evolving challenges in AI security. “As we reflect on the event, it is clear that the collaboration sparked at the summit will reverberate in ongoing efforts to advance AI security standards. OASIS and its members will continue to strive to secure the increasingly interconnected world of AI. It’s events like these that propel our industry forward,” said Clark.

OASIS is grateful to Cisco for hosting the inaugural summit and commends all participants for a successful event. The day was filled with dynamic and thought-provoking discussions, showcasing the importance of continued dialogue as AI evolves.

For those interested in revisiting the discussions or for anyone who missed the live event, the recordings will be made available on the OASIS YouTube channel and the event website.

The post OASIS Open and Cisco Champion AI Security in Joint Summit appeared first on OASIS Open.

Organizational cyber security has never been more under attack than in today’s world. With the introduction of the OASIS Collaborative Automated Course of Actions Operations (CACAO) Version 2.0 standard, security organizations have a new and formidable toolkit in their ability to orchestrate and collaborate using fully automatable security playbooks to respond to today’s cyber threats. 

Read on to learn more about how CACAO can help defend your organization better.

The New Standard for Security Playbooks

CACAO is a standardized framework for orchestrating and automating course-of-action playbooks in cybersecurity. It streamlines the creation, execution, and sharing of playbooks, making it easier for security teams to respond to incidents, mitigate threats, and protect their networks. CACAO offers a modular and extensible approach to playbook development, ensuring that it can adapt to the diverse needs of different organizations.

CACAO focuses on empowering IT/Security organizations to design and orchestrate security activities. These range from traditional activities like intrusion detection; through security event triage, to determining relevant steps to counter a threat; and enforce mitigation and incident response procedures. 

Moreover, it enables more advanced techniques that use playbooks across various use cases that organizations may employ or want to address, such as performing attack emulations as part of red team activities, utilizing threat deception techniques to engage with active threats against the organization, or even ensuring policy and regulatory compliance.

The following section highlights some of the key aspects of how CACAO Playbooks are designed.

Key Technology of CACAO

Organizing and Searching Playbooks: Metadata

Metadata is a crucial and powerful component of CACAO, allowing for the efficient categorization and searchability of playbooks. It includes information such as the operational roles a playbook performs, descriptions of its activities, and the complexity of workflow steps encapsulated. For example, a playbook may contain workflow steps that are simple sequencing or they may contain control flows that require the orchestration system to handle the typical logic that programs require. This metadata helps organizations find relevant playbooks quickly and accordingly tailor them to their specific requirements.

Defining the process, logic and knowledge within a playbook: Workflow Steps

CACAO playbooks are structured as workflows, composed of a dictionary of action steps to be performed sequentially or in parallel while also staying flexible, allowing branching with other CACAO playbooks (modular approach), and incorporating different types of conditional logic (e.g., if, while, switch) to support even the most advanced and complex scenarios and requirements.

Connecting the playbook steps to systems, people and their targets: Agents and Targets

In CACAO, the agent is the entity responsible for executing actions, while the target is the recipient of those actions. Agents execute action steps containing commands against targets. The design emphasizes modularity and reusability, allowing organizations to define agents and targets once, reference them in multiple playbooks, or reuse them within a playbook. This approach provides flexibility on how action steps and their underlying commands will be executed by, or against, for example, an individual, group, organization, devices and equipment, or in a hybrid manner. 

Additional Key Features of CACAO

Modularity & Extensibility

Recognizing that cybersecurity organizations and their technologies can span a large ecosystem that is constantly evolving, CACAO was designed to be both modular and extensible. 

Organizations can be responsible for specific areas of technology and their respective playbooks. Those playbooks can be combined with other organization’s playbooks for specific threats or general process implementation that larger organizations typically follow when responding to incidents (also known as standard operating procedures – SOPs). In many respects how the IT/Security organization is defined and operating is set; however, CACAO playbooks can be easily mapped to that organizational fit, without requiring changes to the organization or how they perform their automation. With CACAO, organizations now have standardized and fully interoperable playbooks that can provide significant improvements to their operational processes within the organization and externally if the team is collaborating with other organizations.

CACAO already includes a comprehensive set of integrations for a large variety of commands and toolsets*. However, organizations can also adapt CACAO to incorporate new tools, proprietary systems, or evolving industry standards. We defined an extension mechanism that is now the basis for STIX and CACAO Extensions that can be applied at the playbook, step, or command level, providing flexibility for organizations to customize their orchestration.

* See CACAO Specification Section 5 for details.

Ensuring Playbook Integrity

Integrity and trust are essential in the world of cybersecurity. CACAO addresses this need by incorporating digital signatures into playbooks to support the ability for them to be signed and countersigned. CACAO’s signature mechanism (JSON signature scheme), has been submitted to the UN’s ITU-T, which was standardized as X.590. It is now being used in CACAO, assuring authenticity and ensuring integrity across playbooks and helping organizations validate their sources and track changes to playbooks over time.

Integrating Cyber Threat Intelligence (CTI) with Orchestration

CACAO connects with the Structured Threat Information eXpression (STIX) Version 2.1 standard, ensuring interoperability and information sharing between cyber threat intelligence and incident response. CACAO uses the same identifiers, versioning mechanism, and core metadata as STIX, enabling organization investments to support both standards easily. This integration allows organizations to leverage their cyber threat intelligence knowledge and apply it directly to their playbooks. Similarly, the synergistic utilization of these two standards can allow CTI to trigger or recommend the execution of specific CACAO playbooks. 

Designing CACAO Playbooks – Key Elements to Consider

As highlighted above, there are three key aspects to designing a CACAO Playbook that an organization must consider.

Metadata

Metadata enables organizations to assess and evaluate the contents of a playbook and what its operational impact might be. The key parts and some of the properties to consider are:

• Playbook Type
  • This property defines the key purpose of the playbook, for example, does it address, threat detection, incident response, threat mitigation, investigation, a combination of the aforementioned, etc.

• Playbook Activities & Playbook Processing
  • These properties enable organizations to better understand what a playbook does in detail and what features it has implemented such as conditional logic, digital signatures, etc.

• Versioning
  • Versioning enables organizations to track changes in their playbooks over time and potentially changes in playbooks created by different authors.
• Labels
  • Labels can be used to index and categorize playbooks by type, organization, and function while enabling many other organizational and trust group specific vocabularies or taxonomies. Labeling can be extremely powerful and effective when organizing playbooks.

Workflow Steps

Workflow Steps are the primary content that defines the playbook and the outcomes expected by executing the steps within it. CACAO provides a rich set of (programming) constructs, offering organizations a great amount of flexibility and comprehensive support for their operational and automation needs.

Steps may include: 

• Sequential
  • Each step is executed in a simple defined order:
    step 1, step 2, step 3, step n
• Parallel
  • Each step is executed in parallel:
    step 1.1, step 1.2, step 1.3, step 1.n
• Conditional
  • Each step can consider a boolean expression prior to executing the next step, for example, if Condition X is true, then perform step 1.
• Loops
  • Supports repeating steps until a condition is not satisfied, for example, while Condition X is true, then perform step 1.
• Action
  • Supports the specific action to be executed for a given step.

Agents & Targets

Agents execute action steps containing commands against targets.

Two simple examples:

• An agent could be an orchestration system executing an automated command (e.g., HTTP API call) to configure a firewall (in this case – the target). 
• A human agent executing a manual step (manual command), such as switching off the power to a building’s internet connection, which requires network isolation and is impossible to automate without a human override.

Conclusion

CACAO provides organizations with a rich set of mechanisms to define security playbooks across their entire organization to handle many different aspects of the security operations lifecycle. For collaborating teams within the organizations or across different organizations, CACAO enables the teams to define and share their defensive tradecraft on many aspects including incidents, threat responses, investigative actions, and security assessments. 

Please check out the CACAO specification here and check back in the coming months for our webinar series on CACAO.

Authors: Bret Jordan, Vasileios Mavroeidis, Luca Morgese, and Allan Thomson

The post Standardized Security Orchestration with CACAO appeared first on OASIS Open.

We are pleased to announce that XACML v3.0 Related and Nested Entities Profile Version 1.0 CSD03 from the OASIS eXtensible Access Control Markup Language (XACML) TC is now available for public review and comment. This is the third public review for this work.

Overview:

The eXtensible Access Control Markup Language (XACML) defines categories of attributes that describe entities of relevance to access control decisions. XACML rules, policies and policy sets contain assertions over the attributes of these entities that must be evaluated to arrive at an access decision. Principal among the various predefined entities are the entity that is requesting access, i.e., the access subject, and the entity being accessed, i.e., the resource. However, it is not unusual for access decisions to be dependent on attributes of entities that are associated with the access subject or resource. For example, attributes of an organization that employs the access subject, or attributes of a licensing agreement that covers the terms of use of a resource.

This profile defines two ways of representing these associated entities in the request context – related entities and nested entities – and defines additional mechanisms to access and traverse these entities.

TC Description:

The XACML TC specifies access control standards, based on the Attribute-based Access Control model (ABAC). The core of this work is the specification of the syntax and semantics of a policy language called XACML. Current work in the TC consists mostly of defining additional profiles of various types which build on version 3.0 of the XACML core specification.

The documents and related files are available here:

XACML v3.0 Related and Nested Entities Profile Version 1.0
Committee Specification Draft 03
09 November 2023

Editorial source (Authoritative):
https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/xacml-3.0-related-entities-v1.0-csd03.docx
HTML:
https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/xacml-3.0-related-entities-v1.0-csd03.html
PDF:
https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/xacml-3.0-related-entities-v1.0-csd03.pdf
Additional normative artifacts:
XML schema: https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/schemas/

For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file at:
https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/xacml-3.0-related-entities-v1.0-csd03.zip

How to Provide Feedback

OASIS and the XACML TC value your feedback. We solicit feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

This public review starts on 06 December 2023 at 00:00 UTC and ends 20 December 2023 at 11:59 UTC.

Comments on the work may be submitted to the TC by following the instructions located at:
https://www.oasis-open.org/committees/comments/form.php?wg_abbrev=xacml

Feedback submitted by TC non-members for this work and for other work of this TC is publicly archived and can be viewed at:
https://lists.oasis-open.org/archives/xacml-comment/

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with the public review of these works, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about this specification and the XACML TC may be found on the TC’s public home page:
https://www.oasis-open.org/committees/xacml/

Additional information related to this public review can be found in the public review metadata document [3].

========== Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] https://www.oasis-open.org/committees/xacml/ipr.php
https://www.oasis-open.org/policies-guidelines/ipr/#RF-on-Limited-Mode
RF on Limited Terms Mode

[3] Public review metadata document:

https://docs.oasis-open.org/xacml/xacml-3.0-related-entities/v1.0/csd03/xacml-3.0-related-entities-v1.0-csd03-public-review-metadata.html

The post Invitation to comment on XACML v3.0 Related and Nested Entities v1.0 from the XACML TC appeared first on OASIS Open.

We are pleased to announce that Electronic Court Filing Version 4.1 & Version 5.01 and Electronic Court Filing Web Services Service Interaction Profile Version 4.1 & Version 5.01 from the LegalXML Electronic Court Filing TC [1] have been approved as OASIS Committee Specifications, and are now available.

In addition, the ECF TC members have published the Committee Note “Implementation Guidance for Electronic Court Filing Version 4.1.” It provides non-normative guidance to implementers of the LegalXML Electronic Court Filing Version 4.1 specification.

ECF defines a technical architecture and a set of components, operations and message structures for an electronic court filing system, and sets forth rules governing its implementation.

Version 4.1:
LegalXML Electronic Court Filing Version 4.1 (ECF v4.1) consists of a set of non-proprietary XML and Web Services specifications, along with clarifying explanations and amendments to those specifications, that have been added for the purpose of promoting interoperability among electronic court filing vendors and systems. ECF Version 4.1 is a maintenance release to address several minor schema and definition issues identified by implementers of the ECF 4.0 and 4.01 specifications.

Electronic Court Filing Web Services Service Interaction Profile defines a Service Interaction Profile, as defined in section 5 of the ECF v4.1 specification. The Web Services Service Interaction Profile may be used to transmit ECF 4.1 messages between Internet-connected systems.

Version 5.01:
Electronic Court Filing Version 5.01 (ECF v5.01) consists of a set of non-proprietary XML and Web Services specifications developed to promote interoperability among electronic court filing vendors and systems. ECF v5.01 is a minor release that adds new functionality and capabilities beyond the scope of the ECF 5,0, 4.0 and 4.01 specifications that it supersedes.

Electronic Court Filing Web Services Service Interaction Profile defines a Service Interaction Profile (SIP), as defined in section 7 of the ECF v5.01 specification. The Web Services SIP may be used to transmit ECF 5.01 messages between Internet-connected systems.

The documents for these four Committee Specifications and related files, as well as the new Committee Note, are available here:

Electronic Court Filing Version 4.1
Committee Specification 01
29 September 2023

Editable source (Authoritative):
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/ecf-v4.1-cs01.docx
HTML:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/ecf-v4.1-cs01.html
PDF:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/ecf-v4.1-cs01.pdf
XML schemas:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/xsd/
XML sample messages:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/xml/
Model and documentation:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/model/
Genericode code lists:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/gc/
Specification metadata:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/xsd/metadata.xml
Complete package in ZIP file:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/cs01/ecf-v4.1-cs01.zip
************************

Electronic Court Filing Web Services Service Interaction Profile Version 4.1
Committee Specification 01
29 September 2023

Editable source (Authoritative):
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/ecf-webservices-v4.1-cs01.docx
HTML:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/ecf-webservices-v4.1-cs01.html
PDF:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/ecf-webservices-v4.1-cs01.pdf
WSDL files:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/wsdl/
WSDL examples:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/wsdl/examples/
Complete package in ZIP file:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/cs01/ecf-webservices-v4.1-cs01.zip
***************************

Electronic Court Filing Version 5.01
Committee Specification 01
29 September 2023

Editable source (Authoritative):
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/ecf-v5.01-cs01.docx
HTML:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/ecf-v5.01-cs01.html
PDF:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/ecf-v5.01-cs01.pdf
XML schemas and Genericode code lists:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/schema/
XML example messages:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/examples/
Model and documentation:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/model/
UML model artifacts:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/uml/
Complete package in ZIP file:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/cs01/ecf-v5.01-cs01.zip
************************

Electronic Court Filing Web Services Service Interaction Profile Version 5.01
Committee Specification 01
29 September 2023

Editable source (Authoritative):
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/ecf-webservices-v5.01-cs01.docx
HTML:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/ecf-webservices-v5.01-cs01.html
PDF:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/ecf-webservices-v5.01-cs01.pdf
WSDL schemas:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/schema/
XML WSDL examples:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/examples/
Complete package in ZIP file:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/cs01/ecf-webservices-v5.01-cs01.zip
***************************

Implementation Guidance for Electronic Court Filing Version 4.1
Committee Note 01
16 October 2023

Editable source (Authoritative):
https://docs.oasis-open.org/legalxml-courtfiling/ecf-guide/v4.1/cn01/ecf-guide-v4.1-cn01.docx
HTML:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-guide/v4.1/cn01/ecf-guide-v4.1-cn01.html
PDF:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-guide/v4.1/cn01/ecf-guide-v4.1-cn01.pdf
Complete package in ZIP file:
https://docs.oasis-open.org/legalxml-courtfiling/ecf-guide/v4.1/cn01/ecf-guide-v4.1-cn01.zip
***************************

Members of the ECF TC [1] approved these specifications by Special Majority Vote. The specifications had been released for public review as required by the TC Process [2]. The vote to approve as Committee Specifications passed [3], and the documents are now available online in the OASIS Library as referenced above.

Our congratulations to the TC on achieving these milestones and our thanks to the reviewers who provided feedback on the specification drafts to help improve the quality of the work.

========== Additional references:
[1] OASIS LegalXML Electronic Court Filing TC
https://www.oasis-open.org/committees/legalxml-courtfiling/

[2] History of publications, including public reviews:
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v4.1/csd02/ecf-v4.1-csd02-public-review-metadata.html
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v4.1/csd02/ecf-webservices-v4.1-csd02-public-review-metadata.html
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/csd03/ecf-v5.01-csd03-public-review-metadata.html
https://docs.oasis-open.org/legalxml-courtfiling/ecf-webservices/v5.01/csd03/ecf-webservices-v5.01-csd03-public-review-metadata.html

[3] Approval ballot:
https://www.oasis-open.org/committees/ballot.php?id=3796

The post Electronic Court Filing v4.1 & v5.01 and ECF Web Services SIP v4.1 & v5.01 Committee Specifications Published appeared first on OASIS Open.

OASIS and the DocBook TC [1] are pleased to announce that The DocBook Schema Version 5.2 is now available for public review and comment.

DocBook is a schema (available in languages including RELAX NG, SGML and XML DTDs, and W3C XML Schema) that is particularly well suited to books and papers about computer hardware and software.

Because it is a large and robust schema, and because its main structures correspond to the general notion of what constitutes a “book,” DocBook has been adopted by a large and growing community of authors writing books of all kinds. DocBook is supported “out of the box” by a number of commercial tools, and there is rapidly expanding support for it in a number of free software environments. These features have combined to make DocBook a generally easy to understand, widely useful, and very popular schema. Dozens of organizations are using DocBook for millions of pages of documentation, in various print and online formats, worldwide.

The TC received four Statements of Use from from Norm Tovey-Walsh, XML Press, the SUSE documentation team, and Jira Kosek. [3].

The candidate specification and related files are available here:

The DocBook Schema Version 5.2
Committee Specification 01
19 July 2023

Editable source (Authoritative):
https://docs.oasis-open.org/docbook/docbook/v5.2/cs01/docbook-v5.2-cs01.docx

HTML:
https://docs.oasis-open.org/docbook/docbook/v5.2/cs01/docbook-v5.2-cs01.html

PDF:
https://docs.oasis-open.org/docbook/docbook/v5.2/cs01/docbook-v5.2-cs01.pdf

For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:

https://docs.oasis-open.org/docbook/docbook/v5.2/cs01/docbook-v5.2-cs01.zip

Public Review Period

The 60-day public review starts 20 November 2023 at 00:00 UTC and ends 18 January 2024 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility as explained in the instructions located via the button labeled “Send A Comment” at the top of the TC public home page, or directly at:

https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=docbook

Comments submitted by for this work and for other work of this TC/OP are publicly archived and can be viewed at:

https://lists.oasis-open.org/archives/docbook-comment/

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review of “DocBook V5.2,” we call your attention to the OASIS IPR Policy [4] applicable especially [5] to the work of this technical committee. All members of the TC/OP should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information

[1] DocBook TC
https://www.oasis-open.org/committees/docbook

[2] Approval ballot:
https://www.oasis-open.org/committees/ballot.php?id=3806

[3] Statements of Use:

• Norm Tovey-Walsh
  https://lists.oasis-open.org/archives/docbook-tc/202310/msg00002.html
• XML Press
  https://lists.oasis-open.org/archives/docbook-comment/202309/msg00000.html
• SUSE documentation team
  https://lists.oasis-open.org/archives/docbook-comment/202310/msg00000.html
• Jira Kosek
  https://lists.oasis-open.org/archives/docbook-comment/202310/msg00001.html

[4] http://www.oasis-open.org/policies-guidelines/ipr

[5] https://www.oasis-open.org/committees/docbook/ipr.php
RF on Limited Terms Mode
https://www.oasis-open.org/policies-guidelines/ipr/#RF-on-Limited-Mode

The post Invitation to comment on DocBook Schema V5.2 before call for consent as OASIS Standard – ends January 18th appeared first on OASIS Open.