Cybersecurity Automation Project - Topic for OCA PGB meeting


duncan@sfractal
 

Revising “next few days” – it will probably take longer. I’m hopefully meeting Friday with one of the ‘how does this relate to …’ groups

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of duncan@sfractal via lists.oasis-open-projects.org <duncan=sfractal.com@...>
Date: Monday, October 31, 2022 at 2:48 PM
To: oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-pgb] Cybersecurity Automation Project - Topic for OCA PGB meeting

So it sounds like the path forward is I should create a charter including some background and the subproject scope, and request an eballot. I will do that over next few days.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Matthew Gardiner via lists.oasis-open-projects.org <matthew_gardiner=rapid7.com@...>
Date: Monday, October 31, 2022 at 9:29 AM
To: oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-pgb] Cybersecurity Automation Project - Topic for OCA PGB meeting

In general, given this certainly hits the sweet spot areas of interest of R7, I would certainly be supportive of such an initiative.  I will also float the idea internally as well and will report back anything substantive I get back.


duncan@sfractal
 

So it sounds like the path forward is I should create a charter including some background and the subproject scope, and request an eballot. I will do that over next few days.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Matthew Gardiner via lists.oasis-open-projects.org <matthew_gardiner=rapid7.com@...>
Date: Monday, October 31, 2022 at 9:29 AM
To: oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-pgb] Cybersecurity Automation Project - Topic for OCA PGB meeting

In general, given this certainly hits the sweet spot areas of interest of R7, I would certainly be supportive of such an initiative.  I will also float the idea internally as well and will report back anything substantive I get back.


Matthew Gardiner
 

In general, given this certainly hits the sweet spot areas of interest of R7, I would certainly be supportive of such an initiative.  I will also float the idea internally as well and will report back anything substantive I get back.


Jason Keirstead
 

Duncan can I make a suggestion to help ensure this moves forward, because based on history it is unlikely we will achieve quorum at the PGB meeting – if we have ballot text proposed, we can start an electronic ballot now and keep it open for 2 weeks. The ballot can then be discussed at the meeting.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management | www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of duncan@sfractal <duncan@...>
Date: Friday, October 28, 2022 at 10:45 AM
To: oca-pgb@... <oca-pgb@...>, Jane Harnad <jharnad@...>, Claudia Rauch <claudia.rauch@...>, Chet Ensign <chet.ensign@...>
Subject: [EXTERNAL] [oca-pgb] Cybersecurity Automation Project - Topic for OCA PGB meeting

I apologize but I will be unable to attend the 3-Nov PGB meeting since I’ll be guest lecturing at a class and I will also miss the December meeting because I’ll be in Antarctica. I would like the board to discuss my previous proposal to start

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

I apologize but I will be unable to attend the 3-Nov PGB meeting since I’ll be guest lecturing at a class and I will also miss the December meeting because I’ll be in Antarctica. I would like the board to discuss my previous proposal to start a new project called ‘Cybersecurity Automation’. It would have several purposes:

  • Run the Cybersecurity Automation Workshops (http://www.cybersecurityautomationworkshop.org/)
  • Cybersecurity Automation “awareness & adoption” (and thereby OCA PR) eg create big picture use cases showing value of all this stuff working together along the lines of https://youtu.be/oW5JsQX2zuI
  • “Create” standards in Cybersecurity Automation. Create is in quotes because intent is to write standards calling out other standards when possible. For example, I believe we have agreement within OCA that at least one command & control language used by OCA is OpenC2, and one threat language is kestrel. This would codify those in standards as well as in our open source. In some cases it would be “only”, but in many/most cases it would be one of a list (e.g. HTTPS, MQTT, OpenDxl, …)
  • Reinvigorate the membership (no guaruntees but my hope would be this would bring in both new sponsors and new contributing members).

The scope has expanded during the discussions over the last 5 months (e.g not just CAW but including use cases and standards) and stabilized as a project (not workgroup since needs a repo and will make standards track work products). I think it is now stable and the clock is ticking on the next CAW (as well as some good “awareness/adoption” triggers  coming up). So I’d like to move forward via whatever is the correct way to do that. And I don’t want my conflicts with next two PGB’s to delay it further.

 

I am not sure of the proper mechanism for PGB to approve this proposal (Claudia? Jane? Chet? Do you know?) . I presume I’ll have to write something up (what?) to get approved. I’d like to understand (1) if any objections/suggestions/improvements/lukewarm-agreement/wild-enthusiam from PGB meeting and (2) what next steps (eg what do I need to write/do?).

 

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 


duncan@sfractal
 

I apologize but I will be unable to attend the 3-Nov PGB meeting since I’ll be guest lecturing at a class and I will also miss the December meeting because I’ll be in Antarctica. I would like the board to discuss my previous proposal to start a new project called ‘Cybersecurity Automation’. It would have several purposes:

  • Run the Cybersecurity Automation Workshops (http://www.cybersecurityautomationworkshop.org/)
  • Cybersecurity Automation “awareness & adoption” (and thereby OCA PR) eg create big picture use cases showing value of all this stuff working together along the lines of https://youtu.be/oW5JsQX2zuI
  • “Create” standards in Cybersecurity Automation. Create is in quotes because intent is to write standards calling out other standards when possible. For example, I believe we have agreement within OCA that at least one command & control language used by OCA is OpenC2, and one threat language is kestrel. This would codify those in standards as well as in our open source. In some cases it would be “only”, but in many/most cases it would be one of a list (e.g. HTTPS, MQTT, OpenDxl, …)
  • Reinvigorate the membership (no guaruntees but my hope would be this would bring in both new sponsors and new contributing members).

The scope has expanded during the discussions over the last 5 months (e.g not just CAW but including use cases and standards) and stabilized as a project (not workgroup since needs a repo and will make standards track work products). I think it is now stable and the clock is ticking on the next CAW (as well as some good “awareness/adoption” triggers  coming up). So I’d like to move forward via whatever is the correct way to do that. And I don’t want my conflicts with next two PGB’s to delay it further.

 

I am not sure of the proper mechanism for PGB to approve this proposal (Claudia? Jane? Chet? Do you know?) . I presume I’ll have to write something up (what?) to get approved. I’d like to understand (1) if any objections/suggestions/improvements/lukewarm-agreement/wild-enthusiam from PGB meeting and (2) what next steps (eg what do I need to write/do?).

 

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/