CPE Future Vision
|
|
|
||||||||
|
I'm somewhat bummed that I haven't seen any discussion on this issue.
I'll go ahead and try to link it to earlier discussions about ontologies. Basically, I think the URI structure imposes unacceptable limits on our ability to express the names we need. I'd like to go to a tagged structure based on a more informed understanding of what a CPE is. At the end of the day, I think CPE should be about names for installable software, legal relationships between those names, and managing a body of community content that can be used to derive the consensus name for any given product--so we can build interoperable tools. Based on my experience in the DoD over the past 2.5 years, I'm thinking CPE should break away from the URI structure and go to a tagged structure that allows users to populate just the elements they want to communicate. I'm also thinking CPE should only address installable software inventories and not try to differentiate between OS and applications. I don't think vendor is a good base for products, particularly given the open source community and the potential to have a single product distributed by multiple vendors. I think product is a better base. I'm also wondering if any type of transport (URI/XML/CSV/JSON.. whatever) really has any business prescribing how a given vendor must use the text strings, titles, and other information tracked in CPE, so I'm thinking it may not have any business being part of the standard. I'm attaching a UML diagram of how I'm thinking an ontology for single CPE might look. I'm still trying to determine if there's a dependency between version and update, but I'm almost completely sure there isn't a dependency between edition and version, or between edition and update. I'm also thinking we may need to have subordinate elements of version that break out major, minor, and sub-minor version information. I also think deprecation should take place on a per-component basis. Also that there's no guarantee of uniqueness for the text names of CPE components, so they should be assigned unique identifiers, which should be the basis for managing deprecation. Let me know what you think. If we agree on this, we can put an "any" tag at the end of the standard CPE Component element list and other standards can expand on cpe core data by bringing in data elements that address function, family, hash, etc. That said, the CPE forum is meant to be consensus driven, so I'll bow to the collective wisdom of contributors to the list. Also attached an xml schema that implements the ontology as an XML language. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Wednesday, March 04, 2009 2:07 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] CPE Future Vision All, Version 2.0 of the CPE Specification was released on September 14th, 2008. At that time the community wanted to see CPE go through a stabilization period and have the community attempt to use the specification in order to get a better feel for future direction. The past year has seen a lot of conversation within the community about possible direction with some different ideas about the best future path to take. I wanted to start discussion on the future vision for CPE. In the very near term we have a new minor release (2.2) scheduled to be official on March 11. There is also a huge push currently ongoing to clean-up the Official CPE Dictionary. But where do we go after that? There is a lot in this email, for that I apologize. Hopefully some of these points can sparks some discussion as your views will help us better understand where CPE needs to go. Questions below: - What are we enumerating? - Is software inventory THE target technical use case? - Should the CPE Language be removed? - What should we do with CPE Matching? - Should we keep the URI? ------------------------- By name CPE is an enumeration. Probably the biggest question to be answered is what are we enumerating? CPE currently is about enumerating platform types, but this has proved to be a very broad term, and CPE has struggled to address what a platform type is. More on this in a second. Based on the research accomplished this past year regarding technical use cases, one option would be for CPE to focus on the software inventory technical use case. This seems to be the single use case that is shared across all members of the CPE Community. By narrowing our focus, we can hopefully deliver a solution that works for those users and not get bogged down trying to support fringe cases. Agree? The software inventory technical use case calls for enumerating platform types based on the underlying software products (either operating systems or applications). What is a software product? This could be defined using the following characteristics: * A user can download or buy it. * There is a vendor/organization that produces it. * An enterprise IT administrator can push it out over the enterprise network and install it into their environment. * It is (or can be) recorded by an asset management tool. In other words, every CPE Name should have at its root a software product. CPE would not try to name web pages, code libraries, functional types, etc. These areas are still important and we as a community need to address them. The suggestion however is to address them with their own enumerations and enable CPE to focus on its core mission. A movement toward multiple enumerations brings to light the need for a good expression language to tie everything together and make more complex statements. This in a way relates to the goal of the CPE Language. The CPE Language is currently under-used (if at all) and really goes against the idea of simplifying CPE. Should this be removed from CPE and stood up on its own or merged into an existing initiative? Thoughts? As we address the questions above, CPE might need to evolve to meet the technical challenges encountered and to try and solve the issues that have been experienced in version 2. Some of the ideas that have been brought up in the past: - don't make any major changes, even with its issues CPE is working well enough, focus on some minor tweaking - the URI is a major problem as the terms used are not permanent (e.g. product name changes) and are not consistent (e.g. 'windows_2003_server' and 'window_server_2003'), thus we should move away from the URI and switch to a numerical id - matching is the root of CPE's issues (e.g. the version component) and need to either be removed or completely rewritten (can we leverage an ontology?) - CPE should not try to be an enumeration but rather should be an expression enabling a user to talk about some combination of vendor, product, and version related to a target What is your reaction to the ideas above? Are there other ideas that need to be considered? Over the next few weeks I will be putting together a proposal for where to go with CPE and what changes should be considered, but I need your input to make sure that Version 3 is a long-term success. I thank you in advance for help you can provide on steering this ship. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515  CPE Ontology in UML 5 Mar 09.jpg (94K) Download Attachment cpe-core.xsd (9K) Download Attachment smime.p7s (6K) Download Attachment |
||||||||
|
|
||||||||
|
In reply to this post
by Wolfkiel, Joseph
|
||||||||
|
|
Some javascript/style in this post has been disabled (why?)
The enumeration concept has been a confusing
discussion. When I talk about "enumeration" with respect to CPE, I'm
thinking that CPE should "enumerate" all legal combinations of CPE component
names (vendor/product/version/update/edition/targetHW/targetSW/language) along
with the names. When we can fully populate all combinations, we have
"enumerated" all software names.
With respect to the above explanation, I think having the
enumeration allows to share a common lexicon when sharing information about
names for, and linkages between vendor, product, and version related to a
target. My thought is that providing a combination of vendor, product, and
version (or other components) would be how you would express a valid CPE
name.
Alternatively, you could express unique IDs
(i.e. alpha-numeric IDs like CPE(vend=666 prod=123 vers=658) for
each vendor, product, and version. I'm a little ambiguous about the
numeric identifiers because they assume you actually know the names of all the
software you want to describe beforehand. When we want to use automated
discovery tools, any time a new product shows up, it leaves the tool without a
way to communicate the previously unseen product or product
component.
Within the DoD, we've seen very limited use for describing
hardware. Generally, when something is described as hardware, we're trying
to relate it back to firmware apps or firmware OSs. I'm not aware of any
existing vulnerabilities or settings contained in security guidance that are
actually targeted at physical hardware (e.g. setting switches, disconnecting
cables, installed power supplies) that can be scanned for with automated
tools. I also think going into that domain will cause any number of
problems with naming and ontological relationships.
Short answer, I would advocate for dispensing with hardware
in CPE for the time being. However, I would allow hardware names to be
used to represent the firmware installed on hardware. That's one of the
reasons I would advocate for doing away with the part type attribute, since I
can't really think of a place where it adds value, but many where it sows
confusion.
Lt Col Joseph L.
Wolfkiel From: Dawn Adams [mailto:[hidden email]] Sent: Thursday, March 05, 2009 4:21 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] *** renamed attachment *** Re: [CPE-DISCUSSION-LIST] CPE Future Vision Hi Joe, So far this seems like a pretty good
idea. Do you agree with this statement?
CPE should not try to be an enumeration but
rather should be an expression enabling a user to talk about some combination of
vendor, product, and version related to a target.
By this would the target would also be part of the CPE
ID of a product however the naming is
resolved? How would hardware based products fit into the CPE
standard – if at all? I agree with your discussion of deprecation and
URIs. Dawn -----Original Message----- * PGP Bad Signature, Signed by an unverified
key I'm somewhat bummed that I haven't seen any discussion
on this issue. I'll go ahead and try to link it to earlier discussions
about ontologies. Basically, I think the URI structure imposes
unacceptable limits on our ability to express the names we need. I'd like to
go to a tagged structure based on a more informed understanding of what a CPE
is. At the end of the day, I think CPE should be about names for installable
software, legal relationships between those names, and managing a body
of community content that can be used to derive the consensus name for any
given product--so we can build interoperable
tools. Based on my experience in the DoD over the past 2.5
years, I'm thinking CPE should break away from the URI structure and go to a
tagged structure that allows users to populate just the elements they want to
communicate. I'm also thinking CPE should only address installable
software inventories and not try to differentiate between OS and
applications. I don't think vendor is a good base for products, particularly given the open
source community and the potential to have a single product distributed
by multiple vendors. I think product is a better base. I'm also
wondering if any type of transport (URI/XML/CSV/JSON.. whatever) really has any
business prescribing how a given vendor must use the text strings, titles,
and other information tracked in CPE, so I'm thinking it may not have any
business being part of the standard. I'm attaching a UML diagram of how I'm thinking an
ontology for single CPE might look. I'm still trying to determine if
there's a dependency between version and update, but I'm almost completely sure there
isn't a dependency between edition and version, or between edition and
update. I'm also thinking we may need to have subordinate elements of
version that break out major, minor, and sub-minor version
information. I also think deprecation should take place on a
per-component basis. Also that there's no guarantee of uniqueness for the text
names of CPE components, so they should be assigned unique
identifiers, which should be the basis for managing
deprecation. Let me know what you think. If we agree on this,
we can put an "any" tag at the end of the standard CPE Component element list and
other standards can expand on cpe core data by bringing in data elements
that address function, family, hash, etc. That said, the CPE forum is meant to be consensus
driven, so I'll bow to the collective wisdom of contributors to the
list. Also attached an xml schema that implements the ontology
as an XML language. Director, Computer Network Defense Research &
Technology (CND R&T) Program Management Office Ft Commercial 410-854-5401 DSN
244-5401 Fax 410-854-6700 -----Original
Message----- From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, March 04, 2009 2:07
PM To:
[hidden email] Subject: [CPE-DISCUSSION-LIST] CPE Future
Vision All, Version 2.0 of the CPE Specification was released on
September 14th, 2008. At that time the community wanted to see CPE go through
a stabilization period and have the community attempt to use the
specification in order to get a better feel for future direction. The past
year has seen a lot of conversation within the community about possible
direction with some different ideas about the best future path to
take. I wanted to start discussion on the future vision for
CPE. In the very near term we have a new minor release (2.2) scheduled to be
official on March 11. There is also a huge push currently ongoing to clean-up
the Official CPE Dictionary. But where do we go after that?
There is a lot in this email, for that I apologize. Hopefully some of these
points can sparks some discussion as your views will help us better understand
where CPE needs to go. Questions below: - What are we
enumerating? - Is software inventory THE target technical use
case? - Should the CPE Language be
removed? - What should we do with CPE
Matching? - Should we keep the
URI? ------------------------- By name CPE is an enumeration. Probably the
biggest question to be answered is what are we enumerating? CPE currently is about
enumerating platform types, but this has proved to be a very broad term, and
CPE has struggled to address what a platform type is. More on this in a
second. Based on the research accomplished this past year
regarding technical use cases, one option would be for CPE to focus on the
software inventory technical use case. This seems to be the single
use case that is shared across all members of the CPE Community. By
narrowing our focus, we can hopefully deliver a solution that works for those users
and not get bogged down trying to support fringe cases.
Agree? The software inventory technical use case calls for
enumerating platform types based on the underlying software products (either
operating systems or applications). What is a software product?
This could be defined using the following
characteristics: * A user can download or buy
it. * There is a vendor/organization that produces
it. * An enterprise IT administrator can push it out over
the enterprise network and install it into their
environment. * It is (or can be) recorded by an asset management
tool. In other words, every CPE Name should have at its root a
software product. CPE would not try to name web pages, code libraries,
functional types, etc. These areas are still important and we as a community
need to address them. The suggestion however is to address them with their own
enumerations and enable CPE to focus on its core mission. A
movement toward multiple enumerations brings to light the need for a good
expression language to tie everything together and make more complex
statements. This in a way relates to the goal of the CPE Language. The CPE Language
is currently under-used (if at all) and really goes against the idea of
simplifying CPE. Should this be removed from CPE and stood up on its own or
merged into an existing initiative?
Thoughts? As we address the questions above, CPE might need to
evolve to meet the technical challenges encountered and to try and solve
the issues that have been experienced in version 2. Some of the ideas that
have been brought up in the past: - don't make any major changes, even with its issues CPE
is working well enough, focus on some minor
tweaking - the URI is a major problem as the terms used are not
permanent (e.g. product name changes) and are not consistent (e.g.
'windows_2003_server' and 'window_server_2003'), thus we should move away from the
URI and switch to a numerical id - matching is the root of CPE's issues (e.g. the version
component) and need to either be removed or completely rewritten (can we
leverage an ontology?) - CPE should not try to be an enumeration but rather
should be an expression enabling a user to talk about some combination of
vendor, product, and version related to a
target What is your reaction to the ideas above? Are
there other ideas that need to be considered? Over the next few weeks I will
be putting together a proposal for where to go with CPE and what changes
should be considered, but I need your input to make sure that Version 3 is a
long-term success. I thank you in advance for help you can provide on
steering this ship. Thanks Drew --------- Andrew Buttner The MITRE
Corporation 781-271-3515 * Wolfkiel.Joseph.L.0514105171
<[hidden email]> * Issuer: |
||||||||
|
|
In reply to this post
by Ernest Park-2
Some javascript/style in this post has been disabled (why?)
Responses in-line. ****
Lt Col Joseph L.
Wolfkiel From: Ernest Park [mailto:[hidden email]] Sent: Thursday, March 05, 2009 4:07 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Future Vision On Thu, Mar 5, 2009 at 3:50 PM, Wolfkiel, Joseph <[hidden email]>
wrote: I'm somewhat bummed that I haven't seen any discussion on this issue. THe URI structure does provide a simple API - a known way of
communication.
Agreed - it is not a database, and the one dimensional structure is hard to
define the layered interdependancies.
****
Good point. I suppose a URI is just a transport format, and ---if we can
do away with concepts like the "prefix property" and interpretation of
unpopulated spaces to mean something other than "unpopulated"--- it's probably
just as good as any other transport. However, I find it a little
distasteful since it violates the XML concept of self-documenting code, and it
requires a tool to parse twice, once for the XML, twice to get data out of the
URI. ****
It is a reasonable distinction - and any distinction allows further
filtering of data. Whether everybody needs the "application" information or not,
it can be output as a CPE 1.x or 2.x "string" as the result to a basic
query.
Once the string is satisfied, the additional metadata tags - open,
proprietary, community developed - can also be interrogated, assuming a general
output XML schema or database table schema is agreed.
In this way, it is the overall schema with its complex relationships that
defines CPE, not a limited, but valuable, string that gets us to narrow down the
choices that resolve a more complex query.
****
Okay, I'm not really hard over on that one. It is a good filter for
humans. It just starts getting sticky when you consider that JRE
serves as an OS, but runs on an OS and many similar relationships exist between
installable plug-ins and their applications. I just don't think there's
much machine-reasoning that can be built into the distinction between OS and
app. I'm much more comfortable with adding a tag to describe target
software architecture -- whether that be JRE, windows, OSX,
etc. ****
I don't think vendor For OSS - vendor in reality needs to be the lowest common denominator, or
can be a few. In my database, a single product can be joined to multiple vendors
due to changes in publishing, development, etc, over the life. I can therefore
"fix" dynamic and historically evolving data to be a flat string to serve the
needs of CPE constrained reporting, while my database is aware of the complex
relations that make up a name definition. This problem is not distinct to OSS,
as acquisitions, bankruptcies, lawsuits, all change hte ownership and the
provenance of software over its life.
If a CPE string is a reporting mechanism, then it works. The database has
to understand the complexity of the data, but hte string output can be
simplified and human friendly.
In this way, by CPE normalized output can be read by another tool that can
read CPE, and it can layer additional metadata into a three dimensional
output.
I still think that the basic string elements are valid, as long as we
agree to synchronize the highest level of the database, then we all
communicate using these strings.
Additionally, these strings may not be unique, or for any given
combination, there may be multiple different results. Understanding this, the
query that builds the result set needs to contain additional test logic to
further qualifiy the multiple result possibilities for the most likely
match.
**** Again, I don't disagree. If we can
agree to drop the "prefix property" and just note that the URI structure should
hold vendor name in the first position, product name in the 2nd, ... then it's
just a transport mechanism. As it is now, with matching and all the added
complexity the cpe URI is difficult to deal with. I also agree that,
in a user interface, giving the ability to sort products by the different
vendors that have distributed them is a great capability. But I don't
think saying that having a relationship where "vendor" is a "distributed-by"
relationship to product would prevent you from doing
that.****
Why deprecate at all? I maintain old names - all names, just in case older
data is floating around. I can correct the query and I still have all the
permutations. I don't care if I have ten different things that resolve to
apache:server (made up example), I can drill through a smaller result set of ten
records easier than 50,000 and more.
**** I
don't equate "deprecate" with "delete." I would expect any database to
maintain old, outdated names in a deprecated status so you can retain historical
relationships. I'm just not comfortable with "same as" as a way to deal
with product names that have been changed as part of an acquisition or
other process. This assumes you may have multiple ways for users to
select the same product name.****
|
||||||||
|
In reply to this post
by Wolfkiel, Joseph
If we are really talking about using an ontological approach, then I strongly recommend that we look at representing this domain in RDF/RDFS and maybe OWL although for our purposes RDFS might suffice.
If we are just talking about tagging and adding facets to the data, then XML Schema is all we need and I'm all for using the right tool for the job. Let me make a bet that if we don't make this move now to RDF/RDFS/OWL, we will be kicking ourselves in a year or less. Attached is your .xsd as represented in OWL-full. Again, we don't need to use OWL-full, and the beauty is that we can use only enough OWL as is needed to model the domain. If you have a tool like Protégé 4 or TopBraidComposer, you can open the .owl file I have attached. So what? What is so special about the owl versus the xsd representation? Once in RDFS or OWL, we would not only be able to assert RDF triples but also infer them. Inference is the force multiplier because anyone who thinks human are able to perform all the assertions to continuously model this complex and changing domain is fooling themselves. Don't get me started here because let me just end with: we should be inferring vulnerabilities and higher order concepts, NOT asserting them. What is the unique value in an ontological representation such as RDF/RDFS/OWL? 1) RDF will finally allow us to model using a graph 2) RDFS afford us ontological modeling. Features that allow us to manage type constraints, instance and class attributes, subclassof type propagation, binary and n-ary relationships, relation hierarchies, etc 3) Beyond RDFS, we may need these OWL features: disjoint-decomposition, cardinality constraints, binary functions, and we could use all or some of OWL on an as-needed basis. 4) when it comes time to tie it all together (CPE, CWE, CCE, etc) or just some of them, this type of federation is simple and easy to manage if we are modeled at the RDFS/OWL level. I can go on and on about the benefits of using these higher level W3C standards for our purposes but I'll just leave it at that. Forgive me for being so passionate about this topic but I probably have more scar tissue than most on this topic. --tk Timothy D. Keanini Sr., CTO nCircle Network Security Office: +1 (415) 625-5939 www.ncircle.com blog.ncircle.com -----Original Message----- From: Wolfkiel, Joseph [mailto:[hidden email]] Sent: Thursday, March 05, 2009 2:50 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Future Vision I'm somewhat bummed that I haven't seen any discussion on this issue. I'll go ahead and try to link it to earlier discussions about ontologies. Basically, I think the URI structure imposes unacceptable limits on our ability to express the names we need. I'd like to go to a tagged structure based on a more informed understanding of what a CPE is. At the end of the day, I think CPE should be about names for installable software, legal relationships between those names, and managing a body of community content that can be used to derive the consensus name for any given product--so we can build interoperable tools. Based on my experience in the DoD over the past 2.5 years, I'm thinking CPE should break away from the URI structure and go to a tagged structure that allows users to populate just the elements they want to communicate. I'm also thinking CPE should only address installable software inventories and not try to differentiate between OS and applications. I don't think vendor is a good base for products, particularly given the open source community and the potential to have a single product distributed by multiple vendors. I think product is a better base. I'm also wondering if any type of transport (URI/XML/CSV/JSON.. whatever) really has any business prescribing how a given vendor must use the text strings, titles, and other information tracked in CPE, so I'm thinking it may not have any business being part of the standard. I'm attaching a UML diagram of how I'm thinking an ontology for single CPE might look. I'm still trying to determine if there's a dependency between version and update, but I'm almost completely sure there isn't a dependency between edition and version, or between edition and update. I'm also thinking we may need to have subordinate elements of version that break out major, minor, and sub-minor version information. I also think deprecation should take place on a per-component basis. Also that there's no guarantee of uniqueness for the text names of CPE components, so they should be assigned unique identifiers, which should be the basis for managing deprecation. Let me know what you think. If we agree on this, we can put an "any" tag at the end of the standard CPE Component element list and other standards can expand on cpe core data by bringing in data elements that address function, family, hash, etc. That said, the CPE forum is meant to be consensus driven, so I'll bow to the collective wisdom of contributors to the list. Also attached an xml schema that implements the ontology as an XML language. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Wednesday, March 04, 2009 2:07 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] CPE Future Vision All, Version 2.0 of the CPE Specification was released on September 14th, 2008. At that time the community wanted to see CPE go through a stabilization period and have the community attempt to use the specification in order to get a better feel for future direction. The past year has seen a lot of conversation within the community about possible direction with some different ideas about the best future path to take. I wanted to start discussion on the future vision for CPE. In the very near term we have a new minor release (2.2) scheduled to be official on March 11. There is also a huge push currently ongoing to clean-up the Official CPE Dictionary. But where do we go after that? There is a lot in this email, for that I apologize. Hopefully some of these points can sparks some discussion as your views will help us better understand where CPE needs to go. Questions below: - What are we enumerating? - Is software inventory THE target technical use case? - Should the CPE Language be removed? - What should we do with CPE Matching? - Should we keep the URI? ------------------------- By name CPE is an enumeration. Probably the biggest question to be answered is what are we enumerating? CPE currently is about enumerating platform types, but this has proved to be a very broad term, and CPE has struggled to address what a platform type is. More on this in a second. Based on the research accomplished this past year regarding technical use cases, one option would be for CPE to focus on the software inventory technical use case. This seems to be the single use case that is shared across all members of the CPE Community. By narrowing our focus, we can hopefully deliver a solution that works for those users and not get bogged down trying to support fringe cases. Agree? The software inventory technical use case calls for enumerating platform types based on the underlying software products (either operating systems or applications). What is a software product? This could be defined using the following characteristics: * A user can download or buy it. * There is a vendor/organization that produces it. * An enterprise IT administrator can push it out over the enterprise network and install it into their environment. * It is (or can be) recorded by an asset management tool. In other words, every CPE Name should have at its root a software product. CPE would not try to name web pages, code libraries, functional types, etc. These areas are still important and we as a community need to address them. The suggestion however is to address them with their own enumerations and enable CPE to focus on its core mission. A movement toward multiple enumerations brings to light the need for a good expression language to tie everything together and make more complex statements. This in a way relates to the goal of the CPE Language. The CPE Language is currently under-used (if at all) and really goes against the idea of simplifying CPE. Should this be removed from CPE and stood up on its own or merged into an existing initiative? Thoughts? As we address the questions above, CPE might need to evolve to meet the technical challenges encountered and to try and solve the issues that have been experienced in version 2. Some of the ideas that have been brought up in the past: - don't make any major changes, even with its issues CPE is working well enough, focus on some minor tweaking - the URI is a major problem as the terms used are not permanent (e.g. product name changes) and are not consistent (e.g. 'windows_2003_server' and 'window_server_2003'), thus we should move away from the URI and switch to a numerical id - matching is the root of CPE's issues (e.g. the version component) and need to either be removed or completely rewritten (can we leverage an ontology?) - CPE should not try to be an enumeration but rather should be an expression enabling a user to talk about some combination of vendor, product, and version related to a target What is your reaction to the ideas above? Are there other ideas that need to be considered? Over the next few weeks I will be putting together a proposal for where to go with CPE and what changes should be considered, but I need your input to make sure that Version 3 is a long-term success. I thank you in advance for help you can provide on steering this ship. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||
|
|
I'd like some feedback on this.
In general, I consider the ontology discussion a human planning stage to determine exactly what we want to represent in XML, JSON, CSV, URI, or whatever transport we want to use. UML Class diagrams or E-R diagrams are great ways of representing ontological relationships that humans can understand, debate, and agree on, then easily implementable in XML schema or Relational Databases. OWL and RDF are intended (in my understanding-and consistent with your explanation) to support machine understanding of data relationships in an attempt to allow machines to "reason" and make "inferences" with the data. I'm under the impression that most of the vendors and consumers in the CPE market space aren't planning to do anything with the ontological discussions we're having other than to ensure the data structures they/we build are able to represent the data properly (i.e. by developing appropriate XML schemas or database table structures). That's the intent of my internal developers. However, if there is a large demand in the CPE community to express CPE ontological "knowledge" in RDF and OWL so it is machine-consumable, then by all means let's go there. Of course, not being a machine, I'll still want to see it in UML class diagrams or E-R diagrams. The request I'd like to make then, is: "If you're a vendor or consumer of CPE data and you plan to, or would like to use machine-consumable ontological data in the form of RDF/RDFS/OWL please share that information with the list." Of course, if I don't understand the use/value of the RDF/RDFS/OWL or the way different vendors/consumers would use it, I would like to have that information too. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Tim Keanini [mailto:[hidden email]] Sent: Thursday, March 05, 2009 6:21 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Future Vision If we are really talking about using an ontological approach, then I strongly recommend that we look at representing this domain in RDF/RDFS and maybe OWL although for our purposes RDFS might suffice. If we are just talking about tagging and adding facets to the data, then XML Schema is all we need and I'm all for using the right tool for the job. Let me make a bet that if we don't make this move now to RDF/RDFS/OWL, we will be kicking ourselves in a year or less. Attached is your .xsd as represented in OWL-full. Again, we don't need to use OWL-full, and the beauty is that we can use only enough OWL as is needed to model the domain. If you have a tool like Protégé 4 or TopBraidComposer, you can open the .owl file I have attached. So what? What is so special about the owl versus the xsd representation? Once in RDFS or OWL, we would not only be able to assert RDF triples but also infer them. Inference is the force multiplier because anyone who thinks human are able to perform all the assertions to continuously model this complex and changing domain is fooling themselves. Don't get me started here because let me just end with: we should be inferring vulnerabilities and higher order concepts, NOT asserting them. What is the unique value in an ontological representation such as RDF/RDFS/OWL? 1) RDF will finally allow us to model using a graph 2) RDFS afford us ontological modeling. Features that allow us to manage type constraints, instance and class attributes, subclassof type propagation, binary and n-ary relationships, relation hierarchies, etc 3) Beyond RDFS, we may need these OWL features: disjoint-decomposition, cardinality constraints, binary functions, and we could use all or some of OWL on an as-needed basis. 4) when it comes time to tie it all together (CPE, CWE, CCE, etc) or just some of them, this type of federation is simple and easy to manage if we are modeled at the RDFS/OWL level. I can go on and on about the benefits of using these higher level W3C standards for our purposes but I'll just leave it at that. Forgive me for being so passionate about this topic but I probably have more scar tissue than most on this topic. --tk Timothy D. Keanini Sr., CTO nCircle Network Security Office: +1 (415) 625-5939 www.ncircle.com blog.ncircle.com -----Original Message----- From: Wolfkiel, Joseph [mailto:[hidden email]] Sent: Thursday, March 05, 2009 2:50 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] CPE Future Vision I'm somewhat bummed that I haven't seen any discussion on this issue. I'll go ahead and try to link it to earlier discussions about ontologies. Basically, I think the URI structure imposes unacceptable limits on our ability to express the names we need. I'd like to go to a tagged structure based on a more informed understanding of what a CPE is. At the end of the day, I think CPE should be about names for installable software, legal relationships between those names, and managing a body of community content that can be used to derive the consensus name for any given product--so we can build interoperable tools. Based on my experience in the DoD over the past 2.5 years, I'm thinking CPE should break away from the URI structure and go to a tagged structure that allows users to populate just the elements they want to communicate. I'm also thinking CPE should only address installable software inventories and not try to differentiate between OS and applications. I don't think vendor is a good base for products, particularly given the open source community and the potential to have a single product distributed by multiple vendors. I think product is a better base. I'm also wondering if any type of transport (URI/XML/CSV/JSON.. whatever) really has any business prescribing how a given vendor must use the text strings, titles, and other information tracked in CPE, so I'm thinking it may not have any business being part of the standard. I'm attaching a UML diagram of how I'm thinking an ontology for single CPE might look. I'm still trying to determine if there's a dependency between version and update, but I'm almost completely sure there isn't a dependency between edition and version, or between edition and update. I'm also thinking we may need to have subordinate elements of version that break out major, minor, and sub-minor version information. I also think deprecation should take place on a per-component basis. Also that there's no guarantee of uniqueness for the text names of CPE components, so they should be assigned unique identifiers, which should be the basis for managing deprecation. Let me know what you think. If we agree on this, we can put an "any" tag at the end of the standard CPE Component element list and other standards can expand on cpe core data by bringing in data elements that address function, family, hash, etc. That said, the CPE forum is meant to be consensus driven, so I'll bow to the collective wisdom of contributors to the list. Also attached an xml schema that implements the ontology as an XML language. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Wednesday, March 04, 2009 2:07 PM To: [hidden email] Subject: [CPE-DISCUSSION-LIST] CPE Future Vision All, Version 2.0 of the CPE Specification was released on September 14th, 2008. At that time the community wanted to see CPE go through a stabilization period and have the community attempt to use the specification in order to get a better feel for future direction. The past year has seen a lot of conversation within the community about possible direction with some different ideas about the best future path to take. I wanted to start discussion on the future vision for CPE. In the very near term we have a new minor release (2.2) scheduled to be official on March 11. There is also a huge push currently ongoing to clean-up the Official CPE Dictionary. But where do we go after that? There is a lot in this email, for that I apologize. Hopefully some of these points can sparks some discussion as your views will help us better understand where CPE needs to go. Questions below: - What are we enumerating? - Is software inventory THE target technical use case? - Should the CPE Language be removed? - What should we do with CPE Matching? - Should we keep the URI? ------------------------- By name CPE is an enumeration. Probably the biggest question to be answered is what are we enumerating? CPE currently is about enumerating platform types, but this has proved to be a very broad term, and CPE has struggled to address what a platform type is. More on this in a second. Based on the research accomplished this past year regarding technical use cases, one option would be for CPE to focus on the software inventory technical use case. This seems to be the single use case that is shared across all members of the CPE Community. By narrowing our focus, we can hopefully deliver a solution that works for those users and not get bogged down trying to support fringe cases. Agree? The software inventory technical use case calls for enumerating platform types based on the underlying software products (either operating systems or applications). What is a software product? This could be defined using the following characteristics: * A user can download or buy it. * There is a vendor/organization that produces it. * An enterprise IT administrator can push it out over the enterprise network and install it into their environment. * It is (or can be) recorded by an asset management tool. In other words, every CPE Name should have at its root a software product. CPE would not try to name web pages, code libraries, functional types, etc. These areas are still important and we as a community need to address them. The suggestion however is to address them with their own enumerations and enable CPE to focus on its core mission. A movement toward multiple enumerations brings to light the need for a good expression language to tie everything together and make more complex statements. This in a way relates to the goal of the CPE Language. The CPE Language is currently under-used (if at all) and really goes against the idea of simplifying CPE. Should this be removed from CPE and stood up on its own or merged into an existing initiative? Thoughts? As we address the questions above, CPE might need to evolve to meet the technical challenges encountered and to try and solve the issues that have been experienced in version 2. Some of the ideas that have been brought up in the past: - don't make any major changes, even with its issues CPE is working well enough, focus on some minor tweaking - the URI is a major problem as the terms used are not permanent (e.g. product name changes) and are not consistent (e.g. 'windows_2003_server' and 'window_server_2003'), thus we should move away from the URI and switch to a numerical id - matching is the root of CPE's issues (e.g. the version component) and need to either be removed or completely rewritten (can we leverage an ontology?) - CPE should not try to be an enumeration but rather should be an expression enabling a user to talk about some combination of vendor, product, and version related to a target What is your reaction to the ideas above? Are there other ideas that need to be considered? Over the next few weeks I will be putting together a proposal for where to go with CPE and what changes should be considered, but I need your input to make sure that Version 3 is a long-term success. I thank you in advance for help you can provide on steering this ship. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||
|
|
||||||||
|
|
In reply to this post
by Andrew Buttner
|
||||||||
|
|
In reply to this post
by Harold Booth-2
|
||||||||
|
|
|
||||||||
|
|
In reply to this post
by Tim Keanini
|
||||||||
|
|
In reply to this post
by Ernest Park-2
|
||||||||
|
|
In reply to this post
by Andrew Buttner
|
||||||||
|
|
In reply to this post
by Andrew Buttner
|
||||||||
|
|
In reply to this post
by Tim Keanini
|
||||||||
|
|
|
||||||||
| Free Embeddable Forum Powered by Nabble | Help |
