Re: OVAL Developer Days - Than k You

FYI, I've asked the team at G2 to analyze remediation languages submitted to
the OVAL list and build a language that implements a common core set of
functionality.

One recommendation we plan to make will be to decouple the remediation
language somewhat from the assessment language.  The idea is to allow a tool
or user to choose whether to modify systems either as a function of finding
a vulnerability or unilaterally, independent of a vulnerability assessment.
We've kicked around the idea of calling the language the Open Remediation
and Modification Language (ORML).  We plan to provide an initial draft we
can publish to the list within the next month.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Tuesday, June 24, 2008 2:15 PM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days -
Thank You


Hi Jon et al,

My apologies, but someone needs to nag...  

I don't think this list received remediation specific minutes.  The minutes
may all have gone to the OVAL list.  This list needs to become active!

Remediation is a big deal and I hate to see it getting forgotten.  I don't
know if we are waiting for the vendors who have added remediation to donate
their schemas to the community or something else, but we need to start
developing remediation enhancements for OVAL so the content producers can
encode fixes and the remediation engines can exercise that content.

Everyone seemed excited about this topic at Developer Days.  Has anything
happened since?  What is the plan?

Regards,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

One of the goals that came out of Developer Days was to leverage the
existing assessment language constructs.  In particular, find a way to use
the OVAL "object" structure in the upcoming remediation language.  There are
two *very* good reasons to do this:

1) Cut development time for all vendors.  Tools that can interpret the
object structure for assessments will be able to use that same code logic in
determining what to apply remediation actions to.

2) Ease of generate remediation content.  Even if such content is not
auto-generated, being able to re-use the OVAL objects will greatly reduce
ORML maintenance.


There are at least two development shops that came to this conclusion
independently in the process of analysis and implementation.  A couple of
rather sharp guys at MITRE also noted that object reuse would be a big plus
in a remediation language.

From many angles, such reuse seems to be a great, almost obvious approach.
When we talk about decoupling OMRL from OVAL, are we talking about ignoring
the aforementioned thought process?

Also, please take no offense, but isn't such an analysis already underway at
MITRE and wouldn't MITRE be a more appropriate body to chart this course?


Thank you for your interest in ThreatGuard.

-rob
Robert L. Hollis
ThreatGuard, Inc.
www.ThreatGuard.com
210.846.5269

. -----Original Message-----
. From: Wolfkiel, Joseph [mailto:[hidden email]]
. Sent: Friday, June 27, 2008 11:27 AM
. To: [hidden email]
. Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days - Than
. k You
.
. FYI, I've asked the team at G2 to analyze remediation languages submitted
. to
. the OVAL list and build a language that implements a common core set of
. functionality.
.
. One recommendation we plan to make will be to decouple the remediation
. language somewhat from the assessment language.  The idea is to allow a
. tool
. or user to choose whether to modify systems either as a function of
. finding
. a vulnerability or unilaterally, independent of a vulnerability
. assessment.
. We've kicked around the idea of calling the language the Open Remediation
. and Modification Language (ORML).  We plan to provide an initial draft we
. can publish to the list within the next month.
.
. Lt Col Joseph L. Wolfkiel
.
. Director, Computer Network Defense Research & Technology (CND R&T) Program
. Management Office
.
. 9800 Savage Rd Ste 6767
. Ft Meade, MD 20755-6767
. Commercial 410-854-5401 DSN 244-5401
. Fax 410-854-6700
.
.
. -----Original Message-----
. From: Vladimir Giszpenc [mailto:[hidden email]]
. Sent: Tuesday, June 24, 2008 2:15 PM
. To: [hidden email]
. Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days -
. Thank You
.
.
. Hi Jon et al,
.
. My apologies, but someone needs to nag...
.
. I don't think this list received remediation specific minutes.  The
. minutes
. may all have gone to the OVAL list.  This list needs to become active!
.
. Remediation is a big deal and I hate to see it getting forgotten.  I don't
. know if we are waiting for the vendors who have added remediation to
. donate
. their schemas to the community or something else, but we need to start
. developing remediation enhancements for OVAL so the content producers can
. encode fixes and the remediation engines can exercise that content.
.
. Everyone seemed excited about this topic at Developer Days.  Has anything
. happened since?  What is the plan?
.
. Regards,
.
. Vladimir Giszpenc
. DSCI Contractor Supporting
. US Army CERDEC S&TCD IAD Tactical Network Protection Branch
. (732) 532-8959
.
. > -----Original Message-----
. > From: Baker, Jon [mailto:[hidden email]]
. > Sent: Wednesday, April 30, 2008 10:30 AM
. > To: [hidden email]
. > Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days - Thank
. > You
. >
. > For those of you that could attend this year's OVAL Developer Days,
. > thank you for making the event a tremendous success. For all of you
. > that could not attend we hope you will be able to attend next year.
. >
. > Over the next week or two we will develop minutes from the event and
. > distribute them via this mailing list for your review and feedback.
. >
. > Thank you all for your efforts,
. >
. > Jon
. >
. > ============================================
. > Jonathan O. Baker
. > The MITRE Corporation
. > Email: [hidden email]

We did talk with MITRE about this.  I'll follow up and see where the
apparent disconnects are coming from.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Robert Hollis [mailto:[hidden email]]
Sent: Friday, June 27, 2008 4:11 PM
To: [hidden email]
Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days -
Than k You


One of the goals that came out of Developer Days was to leverage the
existing assessment language constructs.  In particular, find a way to use
the OVAL "object" structure in the upcoming remediation language.  There are
two *very* good reasons to do this:

1) Cut development time for all vendors.  Tools that can interpret the
object structure for assessments will be able to use that same code logic in
determining what to apply remediation actions to.

2) Ease of generate remediation content.  Even if such content is not
auto-generated, being able to re-use the OVAL objects will greatly reduce
ORML maintenance.


There are at least two development shops that came to this conclusion
independently in the process of analysis and implementation.  A couple of
rather sharp guys at MITRE also noted that object reuse would be a big plus
in a remediation language.

From many angles, such reuse seems to be a great, almost obvious approach.
When we talk about decoupling OMRL from OVAL, are we talking about ignoring
the aforementioned thought process?

Also, please take no offense, but isn't such an analysis already underway at
MITRE and wouldn't MITRE be a more appropriate body to chart this course?


Thank you for your interest in ThreatGuard.

-rob
Robert L. Hollis
ThreatGuard, Inc.
www.ThreatGuard.com
210.846.5269

. -----Original Message-----
. From: Wolfkiel, Joseph [mailto:[hidden email]]
. Sent: Friday, June 27, 2008 11:27 AM
. To: [hidden email]
. Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days - Than
. k You
.
. FYI, I've asked the team at G2 to analyze remediation languages submitted
. to
. the OVAL list and build a language that implements a common core set of
. functionality.
.
. One recommendation we plan to make will be to decouple the remediation
. language somewhat from the assessment language.  The idea is to allow a
. tool
. or user to choose whether to modify systems either as a function of
. finding
. a vulnerability or unilaterally, independent of a vulnerability
. assessment.
. We've kicked around the idea of calling the language the Open Remediation
. and Modification Language (ORML).  We plan to provide an initial draft we
. can publish to the list within the next month.
.
. Lt Col Joseph L. Wolfkiel
.
. Director, Computer Network Defense Research & Technology (CND R&T) Program
. Management Office
.
. 9800 Savage Rd Ste 6767
. Ft Meade, MD 20755-6767
. Commercial 410-854-5401 DSN 244-5401
. Fax 410-854-6700
.
.
. -----Original Message-----
. From: Vladimir Giszpenc [mailto:[hidden email]]
. Sent: Tuesday, June 24, 2008 2:15 PM
. To: [hidden email]
. Subject: Re: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days -
. Thank You
.
.
. Hi Jon et al,
.
. My apologies, but someone needs to nag...
.
. I don't think this list received remediation specific minutes.  The
. minutes
. may all have gone to the OVAL list.  This list needs to become active!
.
. Remediation is a big deal and I hate to see it getting forgotten.  I don't
. know if we are waiting for the vendors who have added remediation to
. donate
. their schemas to the community or something else, but we need to start
. developing remediation enhancements for OVAL so the content producers can
. encode fixes and the remediation engines can exercise that content.
.
. Everyone seemed excited about this topic at Developer Days.  Has anything
. happened since?  What is the plan?
.
. Regards,
.
. Vladimir Giszpenc
. DSCI Contractor Supporting
. US Army CERDEC S&TCD IAD Tactical Network Protection Branch
. (732) 532-8959
.
. > -----Original Message-----
. > From: Baker, Jon [mailto:[hidden email]]
. > Sent: Wednesday, April 30, 2008 10:30 AM
. > To: [hidden email]
. > Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Developer Days - Thank
. > You
. >
. > For those of you that could attend this year's OVAL Developer Days,
. > thank you for making the event a tremendous success. For all of you
. > that could not attend we hope you will be able to attend next year.
. >
. > Over the next week or two we will develop minutes from the event and
. > distribute them via this mailing list for your review and feedback.
. >
. > Thank you all for your efforts,
. >
. > Jon
. >
. > ============================================
. > Jonathan O. Baker
. > The MITRE Corporation
. > Email: [hidden email]

>
>FYI, I've asked the team at G2 to analyze remediation languages
>submitted to
>the OVAL list and build a language that implements a common core set
of
>functionality.
>

This is good news for us all. It is great to get another organization
interested in advancing a remediation language in the near future.

>One recommendation we plan to make will be to decouple the remediation
>language somewhat from the assessment language.  The idea is to allow
a
At OVAL Developer days I think that there was general consensuses that
a remediation solution would really be scoped at modifying a system and
I think it was also agreed that it was probably generally a good idea
to decouple remediation statements from oval definitions. More of this
is available in the minutes from the remediation session at OVAL
Developer days.

Thanks,

Jon

I spoke with Lt Col Joseph L. Wolfkiel, Rob Hollis, and Nick Hansen
this afternoon to make sure that all of us are operating in sync with
each other. As I said in my post last night Joe's interest in
remediation is good news for us all. We are getting ready here at MITRE
to pick up and continue topics form OVAL Developer Days, and
remediation is one of the big topics to address.

G2, ThreatGuard, and HP are going to start drafting a consolidated
remediation proposal and all of you are welcome and encourage to
participate in its creation. To ensure that all interested
organizations have an opportunity to participate and we arrive at a
broadly applicable solution  this list will serve as the primary
communication mechanism. As a reminder archives of this list are
available here:
http://n2.nabble.com/OVAL-Remediation-Forum-f24072ef20093.html

As conference calls are needed to drive this effort forward MITRE will
setup and distribute dial in information. In the past we have been able
to coordinate call times via these lists and I think we will continue
to be able to do that for remediation.

I think our goal should be to have a remediation language ready for
release around the time of version 6 of the oval language. I would
expect usable drafts to be available much sooner. Once we have agreed
upon a remediation proposal we will look to the OVAL Board for guidance
and help determining how best

Regards,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: [hidden email]


There - remediation
>. language somewhat from the assessment language.  The idea is to
allow
>a
>. tool
>. or user to choose whether to modify systems either as a function of
>. finding
>. a vulnerability or unilaterally, independent of a vulnerability
>. assessment.
>. We've kicked around the idea of calling the language the Open
>Remediation
>. and Modification Language (ORML).  We plan to provide an initial
draft - active!
>.
>. Remediation is a big deal and I hate to see it getting forgotten.  I
>don't
>. know if we are waiting for the vendors who have added remediation to
>. donate
>. their schemas to the community or something else, but we need to
start
>. developing remediation enhancements for OVAL so the content
producers Days,
>. > thank you for making the event a tremendous success. For all of
you
>. > that could not attend we hope you will be able to attend next
year.
>. >
>. > Over the next week or two we will develop minutes from the event
and
>. > distribute them via this mailing list for your review and
feedback.
>. >
>. > Thank you all for your efforts,
>. >
>. > Jon
>. >
>. > ============================================
>. > Jonathan O. Baker
>. > The MITRE Corporation
>. > Email: [hidden email]