OASIS Cyber Threat Intelligence (CTI) TC

 View Only
Expand all | Collapse all

TAXII definition of "Done"

  • 1.  TAXII definition of "Done"

    Posted 11-27-2018 20:56
      |   view attached
    All,   As I mentioned on the working call today, we have imposed a very strict definition of “Done” for new features/objects in STIX, however, we have never agreed as a TC to impose the same rigorous standards to TAXII. Given the fact that some of the issues that prompted us to implement this definition came about when people attempted to implement TAXII, it seems only logical to me that we would impose the same standards to both specifications.   As a reminder, the definition of “Done” for STIX includes: Written specification text Proof of concept code from at least two different developers/companies Corresponding Interop tests   For some of the newer features in TAXII, namely TAXII query, it seems to make sense to me that it should be proved in code before we finalize it in the specification.   I wanted to bring this topic to the list and see what other people thought about this.   Thanks,   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org  


  • 2.  Re: [cti] TAXII definition of "Done"

    Posted 11-27-2018 21:15
    I would also agree that TAXII features
    should also meet the STIX definition of "done" in order to be
    included in the spec. - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those
    who hustle." - Unknown From:      
      "Kelley, Sarah
    E." <skelley@mitre.org> To:      
      "cti@lists.oasis-open.org"
    <cti@lists.oasis-open.org> Date:      
      11/27/2018 04:56 PM Subject:    
        [cti] TAXII
    definition of "Done" Sent by:    
        <cti@lists.oasis-open.org> All,   As I mentioned on the working call today,
    we have imposed a very strict definition of Done for new features/objects
    in STIX, however, we have never agreed as a TC to impose the same rigorous
    standards to TAXII. Given the fact that some of the issues that prompted
    us to implement this definition came about when people attempted to implement
    TAXII, it seems only logical to me that we would impose the same standards
    to both specifications.   As a reminder, the definition of Done
    for STIX includes: Written specification text Proof of concept code from at least
    two different developers/companies Corresponding Interop tests   For some of the newer features in TAXII,
    namely TAXII query, it seems to make sense to me that it should be proved
    in code before we finalize it in the specification.   I wanted to bring this topic to the list
    and see what other people thought about this.   Thanks,   Sarah Kelley Lead Cybersecurity Engineer, T8B2 Defensive Operations The MITRE Corporation 703-983-6242 skelley@mitre.org  [attachment "image003.jpg"
    deleted by Jason Keirstead/CanEast/IBM]



  • 3.  Re: [cti] TAXII definition of "Done"

    Posted 11-27-2018 21:22




    Agreed, the same motivation for wanting to do this for STIX applies to TAXII. I d also keep in mind that requiring sponsors and interop text makes it so that you re not just evaluating technical feasibility (the implementation piece), you re
    also ensuring that there s defined use cases and a real scenario where it can be used (a concern discussed on the call). It s way easier to say yes to something new than to say no, so it s important to have these checks in place to make sure we don t end up
    with something overly broad again.
     
    John
     

    From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
    Date: Tuesday, November 27, 2018 at 4:15 PM
    To: "Kelley, Sarah E." <skelley@mitre.org>
    Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
    Subject: Re: [cti] TAXII definition of "Done"


     

    I would also agree that TAXII features should also meet the STIX definition of "done" in order to be included in the spec.

    -
    Jason Keirstead
    Lead Architect - IBM Security Connect
    www.ibm.com/security

    "Things may come to those who wait, but only the things left by those who hustle." - Unknown





    From:         "Kelley, Sarah E." <skelley@mitre.org>
    To:         "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
    Date:         11/27/2018 04:56 PM
    Subject:         [cti] TAXII definition of "Done"
    Sent by:         <cti@lists.oasis-open.org>






    All,
     
    As I mentioned on the working call today, we have imposed a very strict definition of Done for new features/objects in STIX, however, we have never agreed as a TC to impose the same rigorous standards to TAXII. Given the fact
    that some of the issues that prompted us to implement this definition came about when people attempted to implement TAXII, it seems only logical to me that we would impose the same standards to both specifications.

     
    As a reminder, the definition of Done for STIX includes:



    Written specification text


    Proof of concept code from at least two different developers/companies


    Corresponding Interop tests
     
    For some of the newer features in TAXII, namely TAXII query, it seems to make sense to me that it should be proved in code before we finalize it in the specification.
     
    I wanted to bring this topic to the list and see what other people thought about this.
     
    Thanks,
     
    Sarah Kelley
    Lead Cybersecurity Engineer, T8B2
    Defensive Operations
    The MITRE Corporation
    703-983-6242
    skelley@mitre.org

     [attachment "image003.jpg" deleted by Jason Keirstead/CanEast/IBM]











  • 4.  Re: [cti] TAXII definition of "Done"