Component Use Cases #1080
Replies: 6 comments 8 replies
-
|
* A containerized application/workload running on IaaS (eg agency host the
Kubernetes control plane)
* containers running on public cloud PaaS (cloud provider runs Kubernetes
control plane)
* multi tenant Kubernetes control plane (cloud provider hosts a multi
tenant overarching control plane that allows each tenant to have its own
isolated control plane) on PaaS
* a “logic” or “function” serverless component running in PaaS
…On Mon, Jan 3, 2022 at 3:53 PM Alexander Stein ***@***.***> wrote:
I would like to solicit use cases and scenarios for the creation of OSCAL
components in component-definitions
<https://pages.nist.gov/OSCAL/reference/latest/component-definition/> and
components in system-security-plans
<https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/>.
The hope is, given participant interest in given use cases and scenarios,
we can make a few comprehensive examples.
So, for some background, this topic came up during the December 16, 2021
OSCAL Lunch with the Devs meeting. Participants and the NIST OSCAL Team
further discussed #1073
<#1073> in that meeting and
what techniques might help the community write tools that produce
components or the components themselves.
Tentative List of Use Cases and Scenarios:
- An example component for a web application, a database, and its
infrastructure hosted in a public cloud infrastructure-as-a-Service (IaaS)
platform, with one or more components in a component-definition and
accompanying inventory-items referencing them in the
component-definition; demo scripts or application code to
automatically or semi-automatically produce the inventory and correlate it
to the component
- An example component for a cluster of servers and their
infrastructure hosted in a public cloud infrastructure-as-a-Service (IaaS)
platform, with one or more components in a component-definition and
accompanying inventory-items referencing them in the
component-definition with a multi-layered network topology; demo
scripts or application code to automatically or semi-automatically produce
the inventory and correlate it to the component, focusing on network
topology using network scanning tools to partially automate network
topology documentation
—
Reply to this email directly, view it on GitHub
<#1080>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFAD4HGYRVQQPB3HRWTUUIZGDANCNFSM5LGHFXBA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your contribution, @sunstonesecure-robert. I hope we get more contributions, but also feedback around which ones have community interest to prioritize. These are definitely contributions, personally, I enjoy so far. These two in particular I find interesting, I know of one system that combines both.
I have some former colleagues running a hybrid of this in a single system, and they also have some basic public documentation (not OSCAL mind you, but a lot of the necessary info), for just such scenarios and use cases: using the GSA TTS cloud.gov system (using the CloudFoundry PaaS) as needed to run an OpenServiceBroker deploying AWS EKS under the hood. |
Beta Was this translation helpful? Give feedback.
-
|
From last week's Lunch with the Devs, we discussed the need to track the provenance of a component in an SSP back to its original (published) component definition. There was interest in tracking:
|
Beta Was this translation helpful? Give feedback.
-
|
Yes, thanks for reminding me. Is this what you had in mind when you said scenario (as opposed to use case)? |
Beta Was this translation helpful? Give feedback.
-
|
This can be turned into a use case, but I don't think that formalization is completely necessary here. It might be good to turn this into a user story though. |
Beta Was this translation helpful? Give feedback.
-
|
We (TestifySec) are working on an implementation of in-toto that we think can help solve this problem. We will be presenting at the CNCF supply chain security working group and in-toto community meeting on the 4th of February, the repo will be public then. https://github.com/testifysec/witness is the repo. It is licensed under Apache 2.0 I am new to OSCAL, I have a lot of reading to do, but it seems we should be doing some sort of translation to the OSCAL data model to encourage interoperability and automation with other tools. |
Beta Was this translation helpful? Give feedback.
-
Sounds cool definitely check out are very detailed documentation pages and give us feedback or ask questions here. |
Beta Was this translation helpful? Give feedback.
-
|
Looking at this, it looks like we can use a witness policy evaluation result as the evaluator. Should we generate a document like the one referenced for each component in the system? Test Result Attestation Data ---Feeds--> Rego Policy Evaulation ---Create--> Component Definition |
Beta Was this translation helpful? Give feedback.
-
|
I think that's on point. Sorry it's the directions of the arrows which always cause problems for me. When we talk the flow of information as it is operated upon once fully baked, that makes sense yes. We have a similar diagram, ironically just in the opposite perspective at the bottom of this page. But when it comes to USG development/operations/DevOps teams, at least for using OSCAL in the US federal public sector projects which is the popular scenario for now, you need to have the required data drafted and ready for review in the opposite direction (from component->ssp->ap->ar+testify and supporting data), up until the assessment at least. The implied fact is they would need to exist. Because of the large scope of the whole of the Risk Management Framework in 800-37, 800-39, and 800-53 is inside baseball and predates encoding parts of it in OSCAL, I point that out. I am not sure how familiar you are with it, so I just call that out. The idea is you, as a vendor, or a dev/ops/DevOps team knowledgeable of your product, would write components with or within a SSP and know how to document those things first. #1058 is about adding the machine-readable piping between the test capabilities of your tool can be mapped to high level control statements requirements. You could find a way to do that now, but it is not standard and complex to do in a variety of ways. I hope that helps! |
Beta Was this translation helpful? Give feedback.
-
|
I'd love to see the pipeline building the component, ssp, ap and ar with Witness informing the AR build, then pushing it to an API for auditor review. |
Beta Was this translation helpful? Give feedback.
-
|
@colek42 I'm very interested to see Witness and OSCAL integrating. We've been playing with automated component definitions lately also in gitlab CI tasks. We could probably break out a whole discussion about the potential of discovering versus manual creation of certain parts. I'd like to reduce the amount of learning curve a developer needs to go through to provide OSCAL formatted application details. It's pretty steep right now (for good reason), but specific environments could benefit from abstraction layers. |
Beta Was this translation helpful? Give feedback.
-
Would love to see more discussion in the discussion threads (maybe a separate one dedicated to "OSCAL in CI/CD" perhaps) and even the dev lunches where people ask/present about the challenges around this topic. We'd love to hear more about it and know how to roll that into ongoing OSCAL work. Just a thought! |
Beta Was this translation helpful? Give feedback.
-
|
I think there may need to be another conversation before that one can really make sense that determines where the developer versus auditor type responsibilities lay in the various layers. I need to ponder how to even really start that discussion though. :-) Thanks for the encouragement to do so. |
Beta Was this translation helpful? Give feedback.
-
|
The need for Related to the @aj-stein-nist @flickerfly @colek42 @sunstonesecure-robert . Adam Brand of KPMG also presented on this topic at out 2023 OSCAL Conference : https://cdnapisec.kaltura.com/index.php/extwidget/preview/partner_id/684682/uiconf_id/31013851/entry_id/1_e861yoyu/embed/dynamic#t=07:09 |
Beta Was this translation helpful? Give feedback.
-
I would like to solicit use cases and scenarios for the creation of OSCAL
components incomponent-definitions andcomponents insystem-security-plans. The hope is, given participant interest in given use cases and scenarios, we can make a few comprehensive examples.So, for some background, this topic came up during the December 16, 2021 OSCAL Lunch with the Devs meeting. Participants and the NIST OSCAL Team further discussed #1073 in that meeting and what techniques might help the community write tools that produce components or the components themselves.
Tentative List of Use Cases and Scenarios:
components in acomponent-definitionand accompanyinginventory-items referencing them in thecomponent-definition; demo scripts or application code to automatically or semi-automatically produce the inventory and correlate it to the componentcomponents in acomponent-definitionand accompanyinginventory-items referencing them in thecomponent-definitionwith a multi-layered network topology; demo scripts or application code to automatically or semi-automatically produce the inventory and correlate it to the component, focusing on network topology using network scanning tools to partially automate network topology documentationBeta Was this translation helpful? Give feedback.
All reactions